CVE-2023-33284: CVE-2023-33284 - Marval MSM has a Remote Code Execution vulnerability

Description

Marval MSM < v15.2 has a Remote Code Execution vulnerability. An authenticated remote attacker is able to execute code in context of the web server.

CVSS Score

9.1 - Critical

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Details of the vulnerability

The vulnerability makes it possible for an authenticated remote attacker in Marval to execute a command that, when the JSON object is deserialized, will run code in the context of the IIS server. This makes it possible to execute code on the underlying server which can lead to complete server compromise.

Issuing a request containing a serialized object to specific webservice endpoints will cause an unsafe JSON deserialization. This leads to Remote Code Execution (RCE) on the targeted system.

A valid user session in Marval by suppling a valid session in the appNameAuth cookie is required. This vulnerability can be combined with CVE-2023-33282.

This issue was identified in version 14.19.0.12476, 15.0 and 15.1. The vendor released a fix in version 15.2 which was released three months ahead of the normal release schedule.

Proof of Concept (PoC)

Available, but will not be released at this point in time.

Upgrade to version 15.2 or later.

Vulnerability Disclosure Policy and Timeline

Vulnerabilites are disclosed, if not fixed earlier, after a minimum of 90 days from being reported to the vendor. If a patch is made available we give another 30 days in addition to the initial 90 days (90+30). This is to ensure that the vendor can inform customers and give them sufficient time to patch any vulnerable systems. We make all effort in to providing sufficient time for vendors to create and make patches available to the public before disclosure. For any questions regarding our vulnerability disclosures, feel free to contact us.

• 2022-07-12: Vulnerability discovery
• 2022-07-18: Vulnerability reported to and acknowledged by vendor
• 2022-08-25: Vendor follow-up
• 2022-09-15: Vendor follow-up
• 2022-10-03: Vendor releases out-of-band fix in version 15.2
• 2023-05-15: CVE requested from Mitre
• 2023-05-16: Vulnerability reported to CERT-SE
• 2023-05-22: CVE ID assigned: CVE-2023-33284
• 2023-05-22: Vendor informed of upcoming disclosure and remediation recommendations requested
• 2023-05-25: Vendor follow-up and remediation suggestions from vendor
• 2023-06-07: Vulnerability disclosure

Vendor response

This vulnerability was resolved under ticket MSM-6677 in version 15.2 (2022-10-03), which is not an LTS release, however we considered it important enough to resolve 3 months ahead of our normal hardening schedule.

The Marval Pen Test policy dictates at a minimum that once a year, a release is security hardened by outsourcing penetration testing to a certified partner and subsequent rectifying the serious and critical issues prior to release. This release is called a long-term support release (LTS) and made available between January-February each year.

Credits

• Linus Kimselius @ Cyberskydd - www.cyberskydd.se

References

• Marval Software