• Consulting
  • Information Security
  • Networking
  • Software Development
  • R&D
  • Genius Bytes – Genius Server v. 3.2.2 – Multiple vulnerabilities

    28-04-2020

    Remote Command Execution

    Affected product and version: Genius Server v. 3.2.2

    CVE: CVE-2019-16652

    Executive Summary
    A critical vulnerability was discovered in Genius Server v. 3.2.2.
    An authenticated function allows the attacker with administrative privileges to execute arbitrary commands.

    Description
    Genius CDDS application is vulnerable to RCE through “BPM Editor” functionality.
    An administrative user can create a new BPM object composed of the “Script” component, which allows to execute Python code.
    The feature can be abused through the use of system libraries in order to have a remote command execution.

    Remediation: Upgrade to Genius Server version 3.2.8

    References
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16652
    https://www.geniusbytes.com/

    Discoverer: Fabiano Golluscio


    Privilege Escalation

    Affected product and version: Genius Server v. 3.2.2

    CVE: CVE-2019-16653

    Executive Summary
    A critical vulnerability was discovered in Genius Server v. 3.2.2.
    An application plugin allows the authenticated user to gain admin privileges.

    Description
    The Genius CDDS application plugins do not have proper permission management, as they can all be used by an unprivileged user (eg. “myguest“).
    In detail, an unprivileged user is able to use the usrInternalUsrCRUD plugin in order to manage the application users and gain admin privileges or create a new one.

    Remediation: Upgrade to Genius Server version 3.2.8

    References
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16653
    https://www.geniusbytes.com/

    Discoverer: Fabiano Golluscio


    Timeline:
    19/09/2019 – Initial vendor contact
    31/10/2019 – Vendor acknowledged and agreed to further discuss the problem and to coordinate the disclosure
    06/03/2020 – Vendor released a fixed version (Genius Server 3.2.8)