Furukawa Electric ConsciusMAP 2.8.1 Java Deserialization Remote Code Execution

Title: Furukawa Electric ConsciusMAP 2.8.1 Java Deserialization Remote Code Execution
Advisory ID: ZSL-2020-5565
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 24.04.2020
Summary
Apros Evoluation / Furukawa / ConsciusMap is the Tecnored provisioning system for FTTH networks. Complete administration of your entire external FTTH network plant, including from the ONUs installed in each end customer, to the wiring and junction boxes. Unify all the management of your FTTH network on a single platform. Unify all your data, whether from customers, your network, or the external plant in one place. APROS FTTH allows you to manage your entire FTTH network in a simple and globalized way with just one click, without being a network expert. Includes services such as: bandwidth limitation, Turbo Internet for time plans, BURST Internet, QinQ for companies, and many more. General consumption graphics and per customer in real time. Captive Portal for cutting or suspension of the service.
Description
The FTTH provisioning solution suffers from an unauthenticated remote code execution vulnerability due to an unsafe deserialization of Java objects (ViewState) triggered via the 'javax.faces.ViewState' HTTP POST parameter. The deserialization can cause the vulnerable JSF web application to execute arbitrary Java functions, malicious Java bytecode, and system shell commands with root privileges.
Vendor
Furukawa Electric Co., Ltd. - https://www.furukawa.co.jp
Tecnored SA - https://www.tecnoredsa.com.ar
Affected Version
2.8.1
2.7.10
2.6.4
2.3.1
2.1.49
2.1.36
2.1.31
2.1.18
2.1.16
2.1.15
2.1.1
2.0.1174
1.8
1.4.70
Tested On
Apache Tomcat/7.0.68
Apache Tomcat/7.0.52
Apache MyFaces/2.2.1
Apache MyFaces/2.1.17
Apache MyFaces/2.0.10
GNU/Linux 4.4.0-173
GNU/Linux 4.4.0-137
GNU/Linux 4.4.0-101
GNU/Linux 4.4.0-83
GNU/Linux 3.15.0
GNU/Linux 3.13.0-32
PrimeFaces/4.0.RC1
Apache-Coyote/1.1
ACC Library 3.1
Ubuntu 16.04.2
Ubuntu 14.04.2
Java/1.8.0_242
Java/1.8.0_181
Java/1.8.0_131
Java/1.7.0_79
MySQL 5.7.29
MySQL 5.7.18
Vendor Status
[24.02.2020] Vulnerability discovered.
[25.02.2020] Vendor contacted.
[07.04.2020] No response from the vendor.
[08.04.2020] Vendor contacted.
[23.04.2020] No response from the vendor.
[24.04.2020] Public security advisory released.
[18.05.2020] Vendor releases version 2.8.5.4 to address this issue.
PoC
furukawa.py
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12133
[2] https://nvd.nist.gov/vuln/detail/CVE-2020-12133
[3] https://www.exploit-db.com/exploits/48380
[4] https://packetstormsecurity.com/files/157383/Furukawa-Electric-ConsciusMAP-2.8.1-Java-Deserialization-Remote-Code-Execution.html
[5] https://cxsecurity.com/issue/WLB-2020040154
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/180746
[7] http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202004-2137
[8] https://helpcenter.furukawalatam.com/helpCenter/41/802/release-2.8.5.4?language=&lang=en
Changelog
[24.04.2020] - Initial release
[26.04.2020] - Added reference [5]
[27.04.2020] - Added reference [6] and [7]
[22.05.2020] - Added vendor status and reference [8]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk