CVE-2023-46319
📋 TL;DR
This vulnerability allows unauthenticated attackers to bypass access controls on WALLIX Bastion's network access administration web interface, exposing sensitive information. It affects organizations using WALLIX Bastion 9.x before 9.0.9 and 10.x before 10.0.5.
💻 Affected Systems
- WALLIX Bastion
📦 What is this software?
Bastion by Wallix
Bastion by Wallix
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to sensitive network administration data, potentially compromising the entire bastion infrastructure and connected systems.
Likely Case
Unauthenticated attackers access sensitive configuration data, user information, or network access policies, leading to information disclosure and potential credential harvesting.
If Mitigated
With proper network segmentation and access controls, impact is limited to information disclosure from the bastion system itself.
🎯 Exploit Status
The vulnerability description indicates unauthenticated access is possible, suggesting simple HTTP requests could trigger the bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.0.9 for 9.x, 10.0.5 for 10.x
Vendor Advisory: https://www.wallix.com/support/alerts/
Restart Required: Yes
Instructions:
1. Download the appropriate patch from WALLIX support portal. 2. Backup current configuration. 3. Apply the patch following WALLIX documentation. 4. Restart the bastion services. 5. Verify the version is updated.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to the bastion administration interface using firewall rules.
iptables -A INPUT -p tcp --dport [admin_port] -s [trusted_ips] -j ACCEPT
iptables -A INPUT -p tcp --dport [admin_port] -j DROP
Reverse Proxy with Authentication
allPlace a reverse proxy with strong authentication in front of the bastion administration interface.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the bastion administration interface from untrusted networks.
- Enable comprehensive logging and monitoring for unauthorized access attempts to the administration interface.
🔍 How to Verify
Check if Vulnerable:
Check the WALLIX Bastion version via the web interface or CLI. If version is 9.x < 9.0.9 or 10.x < 10.0.5, the system is vulnerable.Check Version:
wget --no-check-certificate -qO- https://localhost:443/api/version || wallix-admin --versionVerify Fix Applied:
Verify the version is 9.0.9 or higher for 9.x, or 10.0.5 or higher for 10.x. Test unauthenticated access to the network access administration interface should be blocked.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access attempts to administration endpoints
- Access to sensitive information endpoints without authentication logs
- Failed authentication followed by successful access
Network Indicators:
- HTTP requests to administration endpoints without authentication headers
- Unusual traffic patterns to bastion administration interface
SIEM Query:
source="wallix_bastion" AND (url_path="/admin/network*" OR url_path="/api/network*") AND auth_status="unauthenticated" AND response_code=200