exploit the possibilities

Tufin Secure Change Remote Code Execution

Tufin Secure Change Remote Code Execution
Posted Jul 24, 2019
Authored by Stephane Grundschober

Tufin SecureChange uses Richfaces version 4.3.5 which suffers from a remote code execution vulnerability.

tags | advisory, remote, code execution
advisories | CVE-2015-0279
MD5 | 2743f520f90c45673a1da076a342ebdf

Tufin Secure Change Remote Code Execution

Change Mirror Download
####################################################################################
#
# SWISSCOM CSIRT ADVISORY
# https://www.swisscom.ch/en/about/company/portrait/network/security/bug-bounty.html
#
####################################################################################
#
# Product: Secure Change
# Vendor: Tufin
# Subject: Tufin SecureChange uses Richfaces 4.3.5, vulnerable to CVE-2015-0279 (unauthenticated RCE)
# CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (base score 10.0)
# Finder: Raphael Arrouas (https://www.linkedin.com/in/raphaelarrouas/)
# Coord: Stephane Grundschober (csirt _at_ swisscom.com)
# Date: July 15 2019
# Advisory URL: https://www.swisscom.ch/content/dam/swisscom/de/about/nachhaltigkeit/digitale-schweiz/sicherheit/bug-bounty/files/scbb-2986-tufin-secure-change.txt
# Vendor advisory: https://portal.tufin.com/articles/SecurityAdvisories/RichFaces-Expression-Language-Injection-27-5-2019
# CVE: No CVE requested by Tufin
#
####################################################################################


Description
-----------
An unauthenticated Remote Code Execution vulnerability exists in Tufin SecureChange,
allowing an attacker to take control of the SecureChange server and potentially
affect all managed firewalls.

Affected Product
----------------
All TOS versions with SecureChange deployments are affected.
SecureTrack deployments are not affected for any TOS version.

Vulnerability
-------------
The SecureChange application uses Richfaces in version 4.3.5, which is vulnerable
to CVE-2015-0279, an unauthenticated RCE by expression language injection within
a serialized Java object. A web page exposing the vulnerability is accessible
without authentication, allowing unauthenticated attacker to execute arbitrary
Java code and compromise the server.

Remediation
-----------
TOS R19-1: The vulnerability fix is included in R19-1 HF1.1, released on May 27.
TOS R18-3: The vulnerability fix is included in R18-3 HF3.1, released on May 27.
TOS R18-2 and TOS R18-1: please contact support at support@tufin.com
Earlier versions of TOS: upgrade to R19-1 HF1.1 and above or R18-3 HF3.1 and above


Milestones
----------
2019-04-18 Discovery of the vulnerability, PoC and details communicated with Swisscom CSIRT
2019-04-21 Swisscom opens a support ticket at Tufin
2019-05-22 Tufin sends a security announcement to its customers
2019-05-27 Tufin releases Hotfixes correcting the issue
2019-05-29 Embargo agreed until 8th of July 2019
2019-07-15 Advisory published


Credits
-------
We would like to thank Raphaƫl Arrouas for his research
and responsible disclosure through Swisscom's Bug Bounty program
https://www.swisscom.ch/en/about/company/portrait/network/security/bug-bounty.html
as well as Tufin for the development of the hotfix.

Login or Register to add favorites

File Archive:

January 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    0 Files
  • 3
    Jan 3rd
    20 Files
  • 4
    Jan 4th
    4 Files
  • 5
    Jan 5th
    37 Files
  • 6
    Jan 6th
    20 Files
  • 7
    Jan 7th
    4 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    0 Files
  • 10
    Jan 10th
    18 Files
  • 11
    Jan 11th
    8 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    31 Files
  • 14
    Jan 14th
    2 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    0 Files
  • 17
    Jan 17th
    0 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close