Dionis-NX-series

Dionysus NX hardware and software complexes are designed for use as routers, crypto routers, firewalls, and intrusion detection and prevention systems. All functions corresponding to certain roles are fully implemented within the framework of a single software installed on each Dionysus NX product.

2025: Russian NGFW Dionis-NX can be hacked with command injection. There is an exploit

In the twentieth of September, FSTEC sent a warning about the discovery of a critical vulnerability BDU:2025-05696^[1] in the Dionis-NX firewall manufactured by the Russian company Factor-TS. The vulnerability has a critical level of danger - 9.8 out of 10 possible. FSTEC notes the existence of an exploit for the discovered vulnerability.

The manufacturer has released fixes for the vulnerability with version 2.0-5 (build from 09.08.2025), which department experts recommend that all users of the product switch to.

𝓲

Фото: Ideogram

The Dionis-NX firewall can be used as routers, crypto routers, firewalls, intrusion detection and prevention systems, that is, it can be classified as a new generation firewall (NGFW). All functions corresponding to certain roles are implemented within the framework of a single software installed on each Dionis-NX product in the form of a firmware complex (PAC), however, the software can be delivered separately as a virtual machine. PAC Dionis-NX is registered in the register of the Ministry of Digital Development under the number No. 9895. The same product also has FSTEK certification (No. 3530), however, it mentions only products made in the form of PAC - it does not apply to a virtual machine.

The vulnerability, which was identified by security researcher Kirill Ivanov, allows the attacker to implement an operating system command (injection - CWE-78), elevate privileges to the level of administrative authority (root) and execute arbitrary code. True, it is present only if the solution is delivered in the form of a virtual machine. The error is related to the DIWEB service of the Dionis-NX virtual machine, during the creation of which the developers did not implement all the necessary checks for arguments passed to the command.

The DIWEB service is designed for remote access to the Dionis-NX web interface, "Marat Khakimyanov, leading engineer of Gazinformservice, clarified to TAdviser readers. - Compromise of the firewall is a very serious information security violation. By gaining access to the firewall, the intruder can see the entire network, as well as quietly make changes to network policies, providing more and more opportunities to compromise other systems. However, it is worth noting that the vulnerability applies only to the virtual version of Dionis-NX. And in most cases, software and hardware complexes are introduced into state bodies and financial organizations.

It should be noted that all FSTEC certificates for the Dionis-NX firewall concern only PAC. At the same time, the detected error refers to the version of Dionis-NX, which is made as a virtual machine. The vulnerable DIWEB service is used for remote administration, so it is likely to be detected on external perimeters, but this is rather a niche application.

Dionis is used where Russian firewalls with up-to-date certificates and tolerances are required - the public sector, state information systems and related circuits, CII subjects, part of the operator and corporate infrastructure with a course on import substitution, - explained to TAdviser the situation with the firewall Anatoly Peskovsky, head of the security analysis department of Informzaschita. - In real landscapes, it is found both on the perimeter and in intersegment filtering zones, and in a number of projects it also closes remote administration functions through DIWEB. Globally, this is not a massive consumer product, but for its niches the presence is noticeable and the geography in Russia is wide.

Anatoly Peskovsky recommended that users of the vulnerable Dionis-NX virtual machine perform the following actions:

• enable telemetry and change control - recording administration sessions, messages about the appearance of external processes from under service accounts, correlation of suspicious sequences like command separator characters in requests to DIWEB;
• disable all unused services on the Dionis-NX virtual machine
• Move the DIWEB to a separate VLAN segment that is not externally accessible.
• Allow access to the device for administration from white-list intermediate nodes and secure connections only.
• do not publish the admin panel on the Internet;
• Perform an update
• strengthen credentials - use unique passwords, enable multivariate authentication for administrators, and enable password rotation after updates.

2019: JaCarta Key Compatibility

On November 28, 2019, Aladdin R.D. announced that, together with the research and production enterprise Factor-TS, they completed test tests for the compatibility of their products.

As part of the testing, the company's specialists confirmed the correctness of the joint operation of JaCarta electronic keys with the Dionis-NX software and hardware version 2.0, the MGK key generation module and the DioPost mail client version 6.

According to compatibility certificates, USB tokens and JaCarta PKI smart cards, GOST JaCarta-2, PKI/GOST JaCarta-2 and JaCarta LT can be used with the DioPost mail client and the MGK key generation module when using the JaCarta Single Client software version 2.12 or higher. Test tests were conducted in OCWindows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10.

Compatibility with the Dionis-NX 2.0 PAC is confirmed for electronic keys JaCarta-2 GOST, JaCarta-2 PKI/GOST, JaCarta-2 PRO/GOST and JaCarta SF/GOST.

Notes