Genius Bytes – Genius Server v. 3.2.2 – Multiple vulnerabilities
28-04-2020
Remote Command Execution
Affected product and version:Genius Server v. 3.2.2
CVE: CVE-2019-16652
Executive Summary A critical vulnerability was discovered in Genius Server v. 3.2.2. An authenticated function allows the attacker with administrative privileges to execute arbitrary commands.
Description Genius CDDS application is vulnerable to RCE through “BPMEditor” functionality. An administrative user can create a new BPM object composed of the “Script” component, which allows to execute Python code. The feature can be abused through the use of system libraries in order to have a remote command execution.
Remediation: Upgrade to Genius Server version 3.2.8
Affected product and version:Genius Server v. 3.2.2
CVE: CVE-2019-16653
Executive Summary A critical vulnerability was discovered in Genius Server v. 3.2.2. An application plugin allows the authenticated user to gain admin privileges.
Description The Genius CDDS application plugins do not have proper permission management, as they can all be used by an unprivileged user (eg. “myguest“). In detail, an unprivileged user is able to use the usrInternalUsrCRUD plugin in order to manage the application users and gain admin privileges or create a new one.
Remediation: Upgrade to Genius Server version 3.2.8
Timeline: 19/09/2019 – Initial vendor contact 31/10/2019 – Vendor acknowledged and agreed to further discuss the problem and to coordinate the disclosure 06/03/2020 – Vendor released a fixed version (Genius Server 3.2.8)