Tufin Secure Change Remote Code Execution

Tufin SecureChange uses Richfaces version 4.3.5 which suffers from a remote code execution vulnerability.


MD5 | 2743f520f90c45673a1da076a342ebdf

####################################################################################
#
# SWISSCOM CSIRT ADVISORY
# https://www.swisscom.ch/en/about/company/portrait/network/security/bug-bounty.html
#
####################################################################################
#
# Product: Secure Change
# Vendor: Tufin
# Subject: Tufin SecureChange uses Richfaces 4.3.5, vulnerable to CVE-2015-0279 (unauthenticated RCE)
# CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (base score 10.0)
# Finder: Raphael Arrouas (https://www.linkedin.com/in/raphaelarrouas/)
# Coord: Stephane Grundschober (csirt _at_ swisscom.com)
# Date: July 15 2019
# Advisory URL: https://www.swisscom.ch/content/dam/swisscom/de/about/nachhaltigkeit/digitale-schweiz/sicherheit/bug-bounty/files/scbb-2986-tufin-secure-change.txt
# Vendor advisory: https://portal.tufin.com/articles/SecurityAdvisories/RichFaces-Expression-Language-Injection-27-5-2019
# CVE: No CVE requested by Tufin
#
####################################################################################


Description
-----------
An unauthenticated Remote Code Execution vulnerability exists in Tufin SecureChange,
allowing an attacker to take control of the SecureChange server and potentially
affect all managed firewalls.

Affected Product
----------------
All TOS versions with SecureChange deployments are affected.
SecureTrack deployments are not affected for any TOS version.

Vulnerability
-------------
The SecureChange application uses Richfaces in version 4.3.5, which is vulnerable
to CVE-2015-0279, an unauthenticated RCE by expression language injection within
a serialized Java object. A web page exposing the vulnerability is accessible
without authentication, allowing unauthenticated attacker to execute arbitrary
Java code and compromise the server.

Remediation
-----------
TOS R19-1: The vulnerability fix is included in R19-1 HF1.1, released on May 27.
TOS R18-3: The vulnerability fix is included in R18-3 HF3.1, released on May 27.
TOS R18-2 and TOS R18-1: please contact support at [email protected]
Earlier versions of TOS: upgrade to R19-1 HF1.1 and above or R18-3 HF3.1 and above


Milestones
----------
2019-04-18 Discovery of the vulnerability, PoC and details communicated with Swisscom CSIRT
2019-04-21 Swisscom opens a support ticket at Tufin
2019-05-22 Tufin sends a security announcement to its customers
2019-05-27 Tufin releases Hotfixes correcting the issue
2019-05-29 Embargo agreed until 8th of July 2019
2019-07-15 Advisory published


Credits
-------
We would like to thank Raphaël Arrouas for his research
and responsible disclosure through Swisscom's Bug Bounty program
https://www.swisscom.ch/en/about/company/portrait/network/security/bug-bounty.html
as well as Tufin for the development of the hotfix.


Related Posts