GZ-SA-2023-001: Genian NAC - Multiple Vulnerabilities

Date

  • Aug 15, 2023

Serverity

  • High

Summary

The following vulnerabilities were identified related to the Genian Update server(s):

  • Missing Encryption of Sensitive Data vulnerability(CVE-2023-40251)
  • Improper Control of Generation of Code (Code Injection) vulnerability(CVE-2023-40252)
  • Improper Authentication vulnerability(CVE-2023-40253)
  • Download of Code Without Integrity Check vulnerability(CVE-2023-40254)

Note

Server side actions were taken to mitigate threats, however, customers running the version(s) mentioned below are advised

to update to the fixed version(s) as soon as possible. Not updating may leave customers vulnerable as well as prevent customer policy servers from obtaining the latest updates from the Genian Update server infrastructure.

Affected Products

  • Genian NAC 5.0.42 LTS (Revision 117460 or lower)
  • Genian NAC 5.0.54 or lower
  • Genian ZTNA 6.0.15 or lower

Affected Components

  • Policy Server
  • Network Sensor
  • Agent

Resolution

The vulnerabilities contained in this advisory can be addressed by upgrading to version listed below:

  • Genian NAC 5.0.42 LTS (Revision 117461 or higher)
  • Genian NAC 5.0.55 or higher
  • Genian ZTNA 6.0.16 or higher

Workaround

  • None