Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Tufin Secure Change Remote Code Execution Exploit

🗓️ 27 Jul 2019 00:00:00Reported by Stephane GrundschoberType 
zdt
 zdt🔗 0day.today👁 67 Views

Tufin Secure Change RCE vulnerability using Richfaces 4.3.5, affecting all TOS version

Related
Code
####################################################################################
#
# Product:  Secure Change
# Vendor:   Tufin
# Subject:  Tufin SecureChange uses Richfaces 4.3.5, vulnerable to CVE-2015-0279 (unauthenticated RCE)
# CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (base score 10.0)
# Finder:   Raphael Arrouas (https://www.linkedin.com/in/raphaelarrouas/)
# Coord:    Stephane Grundschober (csirt _at_ swisscom.com)
# Date:     July 15 2019
# Advisory URL: https://www.swisscom.ch/content/dam/swisscom/de/about/nachhaltigkeit/digitale-schweiz/sicherheit/bug-bounty/files/scbb-2986-tufin-secure-change.txt
# Vendor advisory: https://portal.tufin.com/articles/SecurityAdvisories/RichFaces-Expression-Language-Injection-27-5-2019
# CVE:      No CVE requested by Tufin
#
####################################################################################


Description
-----------
An unauthenticated Remote Code Execution vulnerability exists in Tufin SecureChange, 
allowing an attacker to take control of the SecureChange server and potentially
affect all managed firewalls.

Affected Product
----------------
All TOS versions with SecureChange deployments are affected. 
SecureTrack deployments are not affected for any TOS version.

Vulnerability
-------------
The SecureChange application uses Richfaces in version 4.3.5, which is vulnerable 
to CVE-2015-0279, an unauthenticated RCE by expression language injection within 
a serialized Java object. A web page exposing the vulnerability is accessible
without authentication, allowing unauthenticated attacker to execute arbitrary 
Java code and compromise the server. 

Remediation
-----------
TOS R19-1: The vulnerability fix is included in R19-1 HF1.1, released on May 27.
TOS R18-3: The vulnerability fix is included in R18-3 HF3.1, released on May 27.
TOS R18-2 and TOS R18-1: please contact support at [email protected]
Earlier versions of TOS: upgrade to R19-1 HF1.1 and above or R18-3 HF3.1 and above


Milestones
----------
2019-04-18   Discovery of the vulnerability, PoC and details communicated with Swisscom CSIRT
2019-04-21   Swisscom opens a support ticket at Tufin
2019-05-22   Tufin sends a security announcement to its customers
2019-05-27   Tufin releases Hotfixes correcting the issue
2019-05-29   Embargo agreed until 8th of July 2019
2019-07-15   Advisory published


Credits
-------
We would like to thank Raphaël Arrouas for his research
and responsible disclosure through Swisscom's Bug Bounty program
https://www.swisscom.ch/en/about/company/portrait/network/security/bug-bounty.html
as well as Tufin for the development of the hotfix.

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Jul 2019 00:00Current
0.3Low risk
Vulners AI Score0.3
CVSS 26.8
EPSS0.02504
tufin securechangerichfaces 4.3.5cve-2015-0279unauthenticated rceswisscom csirthotfixes
67