Identity One MorphoManager RCE

Product Identity One MorphoManager
Severity High
CVE Reference N/A
Type Design Flaws

Description

MorphoManager is a centralized platform designed to manage 3rd party biometric terminals for access control and time attendance.

The system operates in a client-server model, and offers functionality related to server discovery as part of the solution. This functionality deserializes arbitrary input sent over the network. It is possible to abuse this feature and achieve remote code execution that will execute with the privileges of the server component. 

Impact

Attackers on the adjacent network can remotely execute arbitrary code as SYSTEM by utilizing publicly available tools such as ysoserial.net. A Proof of Concept exploit will not be shared at this time.

Cause

The system deserializes arbitrary objects instead of relying on strictly defined data types.

Interim Workaround

Deploy network-based access controls in front of the server part of the solution; install the client locally on the server to avoid network traffic.

Remediation

Apply the update and/or patch available from the vendor that was made available for the following versions:

- Version 10.5.2 (or the latest version)
- Version 13.5.4 (or the latest version)
- Version 14.2.2 (or the latest version)

Detailed Timeline

Date Summary
2018-08-01 Vulnerability discovered
2019-10-23 Attempt to notify vendor (support@morphomanager.com - no response)
2019-11-08 Attempt to notify vendor (support@morphomanager.com - no response)
2019-11-12 Attempt to notify (LinkedIn)
2019-11-14 Call with vendor, issue reported and PoC provided
2019-12-02 Vendor confirms vulnerability and makes available patch (for latest version) and asks for grace period to engineer patch in older versions
2019-12-17 Vendor communication to their customers announcing the availability of patch for versions 10.5.2, 13.5.4 and 14.2.2
2020-01-27 Release