NOVEMBER 2024
CVE-2024-XXXXX – Disabled / Expired useraccount bypass
A CRITICAL vulnerability (rated 9.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L) has been discovered in WALLIX Bastion and WALLIX Access Manager.
A CVE number has been requested, and we are currently awaiting its assignment.
Summary
|
Product
|
Feature
|
Vulnerability details
|
Impact
|
How to check if I use that feature
|
|
WALLIX Bastion
|
User authentication with SSH key stored in LDAP or Active Directory
|
WALLIX Bastion does not check Expired or Disabled flags.
|
User may be able authenticate on the WALLIX Bastion and to access to their SSH targets
|
In Configuration > Authentication Domains > Active Directory or LDAP, SSH public key attribute is defined
|
|
WALLIX Bastion
|
User authentication with X.509 certificate stored in LDAP or Active Directory
|
WALLIX Bastion does not check Expired or Disabled flags.
|
User may be able to authenticate on the WALLIX Bastion GUI and to access their targets
|
Both conditions below hold:
|
|
WALLIX Access Manager
|
User authentication with X.509 certificate stored in Active Directory
|
WALLIX Access Manager does not check Expired flags.
|
User may be able to authenticate on the WALLIX Access Manager GUI and to access their targets
|
In global organization, Configuration > Domains > Select LDAP Domain, Allow X509 Cert. Authentication is checked
|
Note: WALLIX Access Manager does not support user authentication with X.509 certificate stored in LDAP.
Note: WALLIX Access Manager does not enable user authentication with SSH key.
Note: User credentials (SSH private key or X.509 private key associated to the certificate) must be valid.
WALLIX recommends to immediately apply the published fixes, or before it is applied, the workarounds described below.
Affected Products
Bastion:
-
All WALLIX Bastion 12.0 versions up to 12.0.3 included
-
All WALLIX Bastion 11.0
-
All WALLIX Bastion 10.1, 10.2, 10.3, 10.4
-
All WALLIX Bastion 10.0 up to 10.0.9 included
-
All WALLIX Bastion 9.0, 9.1
-
All previous WALLIX Bastion may be affected
Access Manager:
-
WALLIX Access Manager 5.1.0
-
All WALLIX Access Manager 5.0 versions
-
All WALLIX Access Manager 4.4 versions
-
All WALLIX Access Manager 4.0 versions up to 4.0.7 included
-
All previous WALLIX Access Manager may be affected
Indicator of Compromise
Check the authentication log on WALLIX Bastion and WALLIX Access Manager to ensure that no disabled or expired accounts have been used.
Workarounds
Expired and Disabled account:
For WALLIX Bastion and WALLIX Access Manager, remove SSH key or certificate hash stored in the Active Directory or LDAP user account.
X.509 certificate may also be revoked if CRL are properly configured in WALLIX Bastion and WALLIX Access Manager
Disabled account only:
If you cannot remove SSH keys or X.509 certificate inside Active Directory:
-
WALLIX Bastion, go to Configuration > Configuration Options > Global > (Advanced options) > Ldap attributes and add:
-
“userAccountControl” for Active Directory
-
“krbPasswordExpiration” for FreeIPA.
-
-
WALLIX Access Manager is not affected by this vulnerability
Fixed Software
-
WALLIX Bastion 12.0.4, available now https://updates.wallix.com/bastion/bastion-12.0.4.iso
-
WALLIX Access Manager 5.1.1, available now https://updates.wallix.com/accessmanager/accessmanager-5.1.1.1.iso
-
WALLIX Bastion 10.0.10, available November 22nd
-
WALLIX Access Manager 4.0.8, available November 22nd
Exploitation and Public Announcements
WALLIX is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
However, it is recommended to look for any abnormal activity on the WALLIX Bastions.
DECEMBER 2023
Potential sensitive information disclosure CVE-2023-49961
SUMMARY
A vulnerability has been discovered in the WALLIX products that may allow an attacker to access sensitive information. The attacker could use this vulnerability to gain illegitimate accesses.
WALLIX recommends to immediately apply the published fixes, or before it is applied, the workaround described below.
Affected Products
All supported versions of WALLIX Bastion and Access Manager as an appliance.
Workarounds
The following article of our knowledge base provides you with the mitigation procedure.
- Access Manager As Appliance: https://wallix.lightning.force.com/lightning/r/Knowledge__kav/ka0Sb00000007O5IAI/view
- Bastion: https://wallix.lightning.force.com/lightning/r/Knowledge__kav/ka0Sb00000005irIAA/view
Fixed Software
Hotfixes versions and patches are available on our download portal:
-
Bastion 9.0.9 : https://cloud.wallix.com/index.php/s/DBkJWdtsPjW7BSn (SHA256: dc5e3fda310a94cd54835800718cc1ec02084a126f79c82dde465eff40d698a4 )
-
Bastion 10.0.5 : https://cloud.wallix.com/index.php/s/PYjdncJSTaEBRSg (SHA256: 65cdc9b49dfa2160a4a8489fd1c61cad1a48444dbb86cb4a9ac0f4ff527d1197 )
Exploitation and Public Annoncements
WALLIX is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
However, it is recommended to look for any abnormal activity on the WALLIX Bastions and WALLIX Access Manager. It is recommended also to ensure that Bastion and Access Manager firewall are enabled.
FEBRUARY 2023
Access Manager privilege escalation CVE-2023-23592
February 2023
Access Manager privilege escalation CVE-2023-23592
SUMMARY
A vulnerability has been discovered in the WALLIX Access Manager product that may allow an attacker to access sensitive information. The attacker could use this vulnerability to gain illegitimate accesses.
WALLIX recommends to immediately apply the published fixes, or before it is applied, the workaround described below.
Affected Products
All versions of WALLIX Access Manager.
Workarounds
The following article of our knowledge base provides you with the workaround procedure.
https://support.wallix.com/s/article/How-can-I-mitigate-CVE-2023-23592
Fixed Software
Hotfixes versions are available on our download portal:
Exploitation and Public Announcements
WALLIX is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. However, it is recommended to look for any abnormal activity on the WALLIX Bastions that are connected to WALLIX Access Manager. In particular it is recommended to look for unusual IP used by privileged users that may be used by multiple user accounts.
Source
Internal security checks
DECEMBER 2021
Log4J remote code execution vulnerability (CVE-2021-44228)
SUMMARY
Alibaba Cloud Security Team published a vulnerability in log4j, a common Java logging library on the 9th of December 2021. (CVE-2021-44228) This vulnerability allows for unauthenticated remote code execution on Java applications.
Affected Products
All versions of WALLIX Access Manager
Workarounds
The default configuration of WALLIX Access Manager prevents from exploiting the said vulnerability on the login field.
However, in order to prevent any possibility to find an exploit in the event of a modification of the default configuration of the WALLIX Access Manager, the WALLIX team proposes a patch which deactivates the faulty class of the log4j library.
This patch applies to all releases of Access Manager from 2.0 version on.
The following article of our knowledge base provides you with the access to the patch as well as the procedure to install it.
https://support.wallix.com/s/article/CVE-2021-44228-Mitigation-procedure
Fixed Software
An update of the Log4J version is planned alongside the Access Manager version 3.0.11.
This version is planned to be released by the end of December 2021.
Exploitation and Public Announcements
WALLIX is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. However, it is recommended to look for any abnormal activity on the WALLIX Bastions that are connected to WALLIX Access Manager. In particular it is recommended to look for creation of new users or authorizations especially since the publication of the CVE
Source
Alibaba Cloud Security Team published a vulnerability in log4j, a common Java logging library on the 9th of December 2021. (CVE-2021-44228)
JANUARY 2021
Sudo Privilege Escalation affecting WALLIX Products – CVE-2021-3156
SUMMARY
The Qualys Research Team has discovered a heap overflow vulnerability in sudo (CVE-2021-3156), any local unprivileged user can gain root privileges on a vulnerable host using a default sudo configuration by exploiting this vulnerability.
sudo can only be exploited locally. This means that either :
- The user is connected on the WALLIX Bastion, through the wabadmin account, on the administration interface. This user can then exploit sudo to become root and bypass all securities of WALLIX Bastion
- A Remote Code Exploitation (RCE) vulnerability exists in another piece of WALLIX software or third party, that will provides a local shell. After successfully exploiting this vulnerability, the attacker will be able to exploit sudo to become root. To WALLIX knowledge, an up-to-date Bastion does not have such vulnerability
Affected Products
- All versions prior to WALLIX Bastion 8.0.6 (included)
- All versions 8.1 and 8.2
Workarounds
There is no workaround to this vulnerability
Fixed Software
This vulnerability is fixed from the WALLIX Bastion 8.0.7 on, and 7.0.14 on.
- A Fix Patch is available for version 8.0.6 and before (it applies for 8.1 and 8.2 versions)
- A Fix patch is available for version 7.0.13 and before
These elements are available on our download site : WALLIX Support: Patches
Exploitation and Public Announcements
WALLIX is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Source
On January 26, 2021, Qualys publicly disclosed this vulnerability in a security bulletin at the following link: https://blog.qualys.com
WALLIX SUPPORT & SERVICES
FOLLOW US
