Genius Bytes – Genius Server V. 3.2.2 – Multiple Vulnerabilities

Remote Command Execution

Affected product and version: Genius Server v. 3.2.2

CVE: CVE-2019-16652

Executive Summary
A critical vulnerability was discovered in Genius Server v. 3.2.2.
An authenticated function allows the attacker with administrative privileges to execute arbitrary commands.

Description
Genius CDDS application is vulnerable to RCE through “BPM Editor” functionality.
An administrative user can create a new BPM object composed of the “Script” component, which allows to execute Python code.
The feature can be abused through the use of system libraries in order to have a remote command execution.

Remediation: Upgrade to Genius Server version 3.2.8

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16652
https://www.geniusbytes.com/

Discoverer: Fabiano Golluscio

Privilege Escalation

Affected product and version: Genius Server v. 3.2.2

CVE: CVE-2019-16653

Executive Summary
A critical vulnerability was discovered in Genius Server v. 3.2.2.
An application plugin allows the authenticated user to gain admin privileges.

Description
The Genius CDDS application plugins do not have proper permission management, as they can all be used by an unprivileged user (eg. “myguest“).
In detail, an unprivileged user is able to use the usrInternalUsrCRUD plugin in order to manage the application users and gain admin privileges or create a new one.

Remediation: Upgrade to Genius Server version 3.2.8

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16653
https://www.geniusbytes.com/

Discoverer: Fabiano Golluscio

Timeline:
19/09/2019 – Initial vendor contact
31/10/2019 – Vendor acknowledged and agreed to further discuss the problem and to coordinate the disclosure
06/03/2020 – Vendor released a fixed version (Genius Server 3.2.8)