Identity One MorphoManager RCE
- Published: 27 Jan 2020
Identity One MorphoManager RCE
Share
Type
- Design Flaws
Severity
- High
Affected products
- Identity One MorphoManager
CVE Reference
- N/A
Timeline
| 2018-08-01 | Vulnerability discovered |
| 2019-10-23 | Attempt to notify vendor (support@morphomanager.com - no response) |
| 2019-11-08 | Attempt to notify vendor (support@morphomanager.com - no response) |
| 2019-11-12 | Attempt to notify (LinkedIn) |
| 2019-11-14 | Call with vendor, issue reported and PoC provided |
| 2019-12-02 | Vendor confirms vulnerability and makes available patch (for latest version) and asks for grace period to engineer patch in older versions |
| 2019-12-17 | Vendor communication to their customers announcing the availability of patch for versions 10.5.2, 13.5.4 and 14.2.2 |
| 2020-01-27 | Release |
Description
MorphoManager is a centralized platform designed to manage 3rd party biometric terminals for access control and time attendance.
The system operates in a client-server model, and offers functionality related to server discovery as part of the solution. This functionality deserializes arbitrary input sent over the network. It is possible to abuse this feature and achieve remote code execution that will execute with the privileges of the server component.
Impact
Attackers on the adjacent network can remotely execute arbitrary code as SYSTEM by utilizing publicly available tools such as ysoserial.net. A Proof of Concept exploit will not be shared at this time.
Cause
The system deserializes arbitrary objects instead of relying on strictly defined data types.
Interim Workaround
Deploy network-based access controls in front of the server part of the solution; install the client locally on the server to avoid network traffic.
Remediation
Apply the update and/or patch available from the vendor that was made available for the following versions:
- Version 10.5.2 (or the latest version)
- Version 13.5.4 (or the latest version)
- Version 14.2.2 (or the latest version)