Identity One MorphoManager RCE

    Type

  • Design Flaws

    • Severity

  • High

    • Affected products

  • Identity One MorphoManager

    • CVE Reference

  • N/A
Timeline
2018-08-01Vulnerability discovered
2019-10-23Attempt to notify vendor (support@morphomanager.com - no response)
2019-11-08Attempt to notify vendor (support@morphomanager.com - no response)
2019-11-12Attempt to notify (LinkedIn)
2019-11-14Call with vendor, issue reported and PoC provided
2019-12-02Vendor confirms vulnerability and makes available patch (for latest version) and asks for grace period to engineer patch in older versions
2019-12-17Vendor communication to their customers announcing the availability of patch for versions 10.5.2, 13.5.4 and 14.2.2
2020-01-27Release

Description

MorphoManager is a centralized platform designed to manage 3rd party biometric terminals for access control and time attendance.

The system operates in a client-server model, and offers functionality related to server discovery as part of the solution. This functionality deserializes arbitrary input sent over the network. It is possible to abuse this feature and achieve remote code execution that will execute with the privileges of the server component. 

Impact

Attackers on the adjacent network can remotely execute arbitrary code as SYSTEM by utilizing publicly available tools such as ysoserial.net. A Proof of Concept exploit will not be shared at this time.

Cause

The system deserializes arbitrary objects instead of relying on strictly defined data types.

Interim Workaround

Deploy network-based access controls in front of the server part of the solution; install the client locally on the server to avoid network traffic.

Remediation

Apply the update and/or patch available from the vendor that was made available for the following versions:

- Version 10.5.2 (or the latest version)
- Version 13.5.4 (or the latest version)
- Version 14.2.2 (or the latest version)