####################################################################################
#
# SWISSCOM CSIRT ADVISORY
# https://www.swisscom.ch/en/about/company/portrait/network/security/bug-bounty.html
#
####################################################################################
#
# Product:  Secure Change
# Vendor:   Tufin
# Subject:  Tufin SecureChange uses Richfaces 4.3.5, vulnerable to CVE-2015-0279 (unauthenticated RCE)
# CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (base score 10.0)
# Finder:   Raphael Arrouas (https://www.linkedin.com/in/raphaelarrouas/)
# Coord:    Stephane Grundschober (csirt _at_ swisscom.com)
# Date:     July 15 2019
# Advisory URL: https://www.swisscom.ch/content/dam/swisscom/de/about/nachhaltigkeit/digitale-schweiz/sicherheit/bug-bounty/files/scbb-2986-tufin-secure-change.txt
# Vendor advisory: https://portal.tufin.com/articles/SecurityAdvisories/RichFaces-Expression-Language-Injection-27-5-2019
# CVE:      No CVE requested by Tufin
#
####################################################################################


Description
-----------
An unauthenticated Remote Code Execution vulnerability exists in Tufin SecureChange, 
allowing an attacker to take control of the SecureChange server and potentially
affect all managed firewalls.

Affected Product
----------------
All TOS versions with SecureChange deployments are affected. 
SecureTrack deployments are not affected for any TOS version.

Vulnerability
-------------
The SecureChange application uses Richfaces in version 4.3.5, which is vulnerable 
to CVE-2015-0279, an unauthenticated RCE by expression language injection within 
a serialized Java object. A web page exposing the vulnerability is accessible
without authentication, allowing unauthenticated attacker to execute arbitrary 
Java code and compromise the server. 

Remediation
-----------
TOS R19-1: The vulnerability fix is included in R19-1 HF1.1, released on May 27.
TOS R18-3: The vulnerability fix is included in R18-3 HF3.1, released on May 27.
TOS R18-2 and TOS R18-1: please contact support at support@tufin.com
Earlier versions of TOS: upgrade to R19-1 HF1.1 and above or R18-3 HF3.1 and above


Milestones
----------
2019-04-18   Discovery of the vulnerability, PoC and details communicated with Swisscom CSIRT
2019-04-21   Swisscom opens a support ticket at Tufin
2019-05-22   Tufin sends a security announcement to its customers
2019-05-27   Tufin releases Hotfixes correcting the issue
2019-05-29   Embargo agreed until 8th of July 2019
2019-07-15   Advisory published


Credits
-------
We would like to thank Raphaël Arrouas for his research
and responsible disclosure through Swisscom's Bug Bounty program
https://www.swisscom.ch/en/about/company/portrait/network/security/bug-bounty.html
as well as Tufin for the development of the hotfix.