verinice uses Java serialization as a communication channel between client and server components. Frank Nusko of Secianus GmbH has found that the mechanism and framework being used is susceptible to exploits that can be used to cause execution of arbitrary code on the server component. The verinice.TEAM has confirmed the vulnerability.
Since this server component is also used in the standalone mode of verinice, it could theoretically be used for local attacks of the verinice client-only product by a malicious user. A malicious user on the same machine could execute arbitrary commands on the local host but with the permissions and context of the user running the verinice client. This second attack variant was not verified by us but as a cautionary measure we recommend all standalone-client users to install the available patch as well.
The vulnerability can be exploited to gain access to the underlying operating system, modify files, delete files and extract information, including all data in the verinice database.
An updated version of packages has been released to fix the issue. All users should install version 1.22.2 or later from the official repositories and/or the online shop:
Users of the verinice.PRO server should install the available RPM packages using their established update procedure.
Users of the verinice standalone client version will be offered to install the updated version during startup. If the automated update mechanism has been disabled by the user, the update can be manually triggered by accessing the following menu item:
Help -> Check for Updates
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8)
A user with valid verinice application credentials (i.e. name and password) and network access to the HTTP(S) port (usually one of: 80/443/8080/8443) is required to execute the attack. The user does not need administrative privileges or any particular rights within verinice for the attack to work.
Reported by Frank Nusko, Secianus GmbH.
Advisory written by the verinice.TEAM of SerNet GmbH.
The verinice.TEAM provided the fix.
Please feel free to contact us – we're here to help you!
Our sales team will be happy to help you with any questions you may have about SerNet's verinice products and services - personally and tailored to your individual interests.
You can reach us directly by phone at +49 551 370000-0.
Send us an email at vertrieb@. sernet.de