Menü
Neler yeni

  • Gizli içerikleri açmak için anlamsız yorum yapmak, kışkırtıcı davranışlarda bulunmak ve link kısaltmak BAN sebebidir.

Tufin Secure Change Remote Code Execution Exploit

NasyoneL

NasyoneL

Mod Team Leader
Super Moderator
THS Helper
THS Elite (VIP)
Katılım
25 Ağu 2017
Mesajlar
40,664
Tepkime puanı
5,998
Puanları
108
Ödüller
3
Kod: 
####################################################################################
#
# Product:  Secure Change
# Vendor:   Tufin
# Subject:  Tufin SecureChange uses Richfaces 4.3.5, vulnerable to CVE-2015-0279 (unauthenticated RCE)
# CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (base score 10.0)
# Finder:   Raphael Arrouas (https://www.linkedin.com/in/raphaelarrouas/)
# Coord:    Stephane Grundschober (csirt _at_ swisscom.com)
# Date:     July 15 2019
# Advisory URL: https://www.swisscom.ch/content/dam/swisscom/de/about/nachhaltigkeit/digitale-schweiz/sicherheit/bug-bounty/files/scbb-2986-tufin-secure-change.txt
# Vendor advisory: https://portal.tufin.com/articles/SecurityAdvisories/RichFaces-Expression-Language-Injection-27-5-2019
# CVE:      No CVE requested by Tufin
#
####################################################################################
 
 
Description
-----------
An unauthenticated Remote Code Execution vulnerability exists in Tufin SecureChange, 
allowing an attacker to take control of the SecureChange server and potentially
affect all managed firewalls.
 
Affected Product
----------------
All TOS versions with SecureChange deployments are affected. 
SecureTrack deployments are not affected for any TOS version.
 
Vulnerability
-------------
The SecureChange application uses Richfaces in version 4.3.5, which is vulnerable 
to CVE-2015-0279, an unauthenticated RCE by expression language injection within 
a serialized Java object. A web page exposing the vulnerability is accessible
without authentication, allowing unauthenticated attacker to execute arbitrary 
Java code and compromise the server. 
 
Remediation
-----------
TOS R19-1: The vulnerability fix is included in R19-1 HF1.1, released on May 27.
TOS R18-3: The vulnerability fix is included in R18-3 HF3.1, released on May 27.
TOS R18-2 and TOS R18-1: please contact support at [email protected]
Earlier versions of TOS: upgrade to R19-1 HF1.1 and above or R18-3 HF3.1 and above
 
 
Milestones
----------
2019-04-18   Discovery of the vulnerability, PoC and details communicated with Swisscom CSIRT
2019-04-21   Swisscom opens a support ticket at Tufin
2019-05-22   Tufin sends a security announcement to its customers
2019-05-27   Tufin releases Hotfixes correcting the issue
2019-05-29   Embargo agreed until 8th of July 2019
2019-07-15   Advisory published
 
 
Credits
-------
We would like to thank Raphaël Arrouas for his research
and responsible disclosure through Swisscom's Bug Bounty program
https://www.swisscom.ch/en/about/company/portrait/network/security/bug-bounty.html
as well as Tufin for the development of the hotfix.
 
#  0day.today [2019-07-31]  #
 
Cevap yazmak için giriş yap yada kayıt ol.
Geri
Üst