CVE-2022-38165

Vulnerability

An arbitrary file write vulnerability exists in F-Secure Policy Manager through version 2022-08-10. An unauthenticated attacker can write a file with attacker-controlled contents to an arbitrary location on the Policy Manager Server. This issue was reported internally and no known exploit has been observed in the wild. The vulnerability affects the Policy Manager Server component, but the Policy Manager Proxy is not affected [1].

Exploitation

An unauthenticated attacker with network access to the F-Secure Policy Manager Server can send specially crafted requests to write a file with arbitrary contents to any path on the server file system. No authentication or prior access is required. The exact attack vector is not publicly detailed, but the advisory confirms that no authentication is needed to trigger the issue [1].

Impact

Successful exploitation allows an unauthenticated attacker to create or overwrite files anywhere on the F-Secure Policy Manager Server file system. This can lead to arbitrary code execution (e.g., by overwriting executables or configuration files), privilege escalation, or a complete compromise of the server's integrity and availability. The confidentiality of data may also be affected if the attacker can write files to sensitive locations [1].

Mitigation

WithSecure (formerly F-Secure) released Hotfix 4 to address this vulnerability. Administrators should download the hotfix from the WithSecure support portal and deploy it to the F-Secure Policy Manager. The hotfix and installation instructions are available at the official product support page [1]. No workaround is documented; applying the hotfix is the required remediation.