CVE-2021-40067: Incorrect access controls in Secure Access read-write API.
Absolute has released a server update for Secure Access v12.x to remove a medium severity incorrect access control vulnerability in the Secure Access /webcontrol API. Customers who hold a valid v12 license and who have manually enabled the /webcontrol API should upgrade to version v12.14 servers as soon as is practical. In addition, customers should verify that their Secure Access Servers are behind a commercial firewall and only the VPN port is exposed to untrusted networks. The default port for the VPN is UDP 5008. If you have changed the default VPN port, ensure only that VPN port is exposed.
Download the updated versions of Secure Access Servers from our customer portal, or contact support for assistance. Consult the v12.14 documentation for guidance on securely configuring your Secure Access deployment.
CVE-2021-40067 is specific to v12.0 through v12.12 servers. The /webcontrol API contains controls for reading and modifying the current state of devices, users, groups, and connections. Any user with a valid NTLM credential can read and write to the /webcontrol API on the Secure Access Server if it has been manually enabled. The API is disabled by default. For a credential to be considered ‘valid’, the server on which the NMS console runs must be joined to a domain for which the attacker has credentials OR the attacker must have a valid local username and password on that server. Access to /webcontrol should be limited to members of the Administrators group or other group configured in the Management Tool.
For an attack to succeed, the following three things must be true:
- The administrator must have enabled the api. It is disabled by default.
- The attacker must have either access to a local account on the server or have access to a domain credential in a domain trusted by the server.
- The administrator must have disregarded our recommendations for secure systems deployment as described in the 11.70 and 12.10 documentation by exposing a management interface to an untrusted network.
Customers who have enabled the API, who have not followed Absolute's recommendations (v11.70 and v12.10) for the secure configuration and deployment of their Secure Access Servers, and who have exposed access to the server console to untrusted networks or IP addresses, are particularly vulnerable to this attack.
Customers who have manually enabled the /webcontrol API should download and install Secure Access v12.14 servers to fix the vulnerability.
For more information, please contact [email protected] or [email protected]