CVE-2021-40066: Incorrect access controls in Secure Access read-only API.
Absolute has released a server update for Secure Access v11.x and v12.x to remove a low severity incorrect access control vulnerability in the Secure Access /webservice API. Customers should upgrade to either version v11.76 or v12.14 servers as soon as is practical. In addition, customers should verify that their Secure Access Servers are behind a commercial firewall and only the VPN port is exposed to untrusted networks. The default port for the VPN is UDP 5008. If you have changed the default VPN port, ensure only that VPN port is exposed.
Download the updated versions of Secure Access Servers from our customer portal, or contact support for assistance. Consult the v11.73 and v12.14 documentation for guidance on securely configuring your Secure Access deployment.
CVE-2021-40066 is common to the v11x optional Analytics module’s server and the Secure Access Server console on v12.0 through v12.12. Any attacker with a valid NTLM credential and access to the effected components can read from the /webservice API. For a credential to be considered ‘valid’, the server on which the Analytics module runs or the server on which the NMS runs must be joined to a domain for which the attacker has credentials OR the attacker must have a valid local username and password on that server. Access to that API should be limited to members of the local Administrators group; in v12x this group is manually configurable. The API shows information on the current status of pool servers, devices, users, and sessions.
For an attack to succeed, the following two things must be true:
- The attacker must have either access to a local account on the server or have access to a domain credential in a domain trusted by the server.
- The administrator must have disregarded our recommendations for secure systems deployment as described in the 11.70 and 12.10 documentation by exposing a management interface to an untrusted network.
Customers who have not followed Absolute's recommendations (v11.76 and v12.14) for the secure configuration and deployment of their Secure Access Servers, and who have exposed access to the Analytics module or the server console web server to untrusted networks or IP addresses, are particularly vulnerable to this attack.
All customers should download and install updated versions of either the v11.x or v12.x servers to fix the vulnerability.
For more information, please contact securit[email protected] or [email protected]