SB2021092906 - Multiple vulnerabilities in F-Secure Internet Gatekeeper

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Code Injection (CVE-ID: CVE-2021-33601)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in the web user interface. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Input validation error (CVE-ID: CVE-2021-33600)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an assertion failure in the web user interface within the "usernameL parameter. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame
• https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33601
• https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33600