| Product | Identity One MorphoManager |
| Severity | High |
| CVE Reference | N/A |
| Type | Design Flaws |
MorphoManager is a centralized platform designed to manage 3rd party biometric terminals for access control and time attendance.
The system operates in a client-server model, and offers functionality related to server discovery as part of the solution. This functionality deserializes arbitrary input sent over the network. It is possible to abuse this feature and achieve remote code execution that will execute with the privileges of the server component.
Attackers on the adjacent network can remotely execute arbitrary code as SYSTEM by utilizing publicly available tools such as ysoserial.net. A Proof of Concept exploit will not be shared at this time.
The system deserializes arbitrary objects instead of relying on strictly defined data types.
Deploy network-based access controls in front of the server part of the solution; install the client locally on the server to avoid network traffic.
Apply the update and/or patch available from the vendor that was made available for the following versions:
- Version 10.5.2 (or the latest version)
- Version 13.5.4 (or the latest version)
- Version 14.2.2 (or the latest version)
| Date | Summary |
| 2018-08-01 | Vulnerability discovered |
| 2019-10-23 | Attempt to notify vendor (support@morphomanager.com - no response) |
| 2019-11-08 | Attempt to notify vendor (support@morphomanager.com - no response) |
| 2019-11-12 | Attempt to notify (LinkedIn) |
| 2019-11-14 | Call with vendor, issue reported and PoC provided |
| 2019-12-02 | Vendor confirms vulnerability and makes available patch (for latest version) and asks for grace period to engineer patch in older versions |
| 2019-12-17 | Vendor communication to their customers announcing the availability of patch for versions 10.5.2, 13.5.4 and 14.2.2 |
| 2020-01-24 | Release |