CVE-2020-12133 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2020-12133?

CVE-2020-12133 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on affected systems by exploiting Java deserialization in the javax.faces.ViewState parameter. It affects Apros Evolution, ConsciusMap, and Furukawa provisioning systems. Attackers can gain full control of vulnerable systems without authentication.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on affected systems by exploiting Java deserialization in the javax.faces.ViewState parameter. It affects Apros Evolution, ConsciusMap, and Furukawa provisioning systems. Attackers can gain full control of vulnerable systems without authentication.

💻 Affected Systems

Products:

Apros Evolution
ConsciusMap
Furukawa provisioning systems

Versions: Through 2.8.1

Operating Systems: Any OS running Java applications

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations up to version 2.8.1 are vulnerable. Requires Java deserialization enabled in JSF applications.

📦 What is this software?

Electric Consciousmap by Farukawa

View all CVEs affecting Electric Consciousmap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining root/admin privileges, deploying ransomware, stealing sensitive data, and pivoting to other network systems.

🟠

Likely Case

Remote code execution leading to data theft, installation of backdoors, or deployment of cryptocurrency miners on vulnerable systems.

🟢

If Mitigated

Limited impact with proper network segmentation and security controls, potentially only affecting isolated systems.

🌐 Internet-Facing: HIGH - Exploit requires no authentication and can be triggered remotely via HTTP requests.

🏢 Internal Only: HIGH - Even internally accessible systems are vulnerable to authenticated or unauthenticated attackers on the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on Packet Storm Security. Attack requires sending specially crafted HTTP requests with malicious serialized Java objects.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2.8.1

Vendor Advisory: https://www.furukawa.co.jp

Restart Required: Yes

Instructions:

1. Contact vendor for updated versions beyond 2.8.1. 2. Apply vendor-provided patches. 3. Restart affected services. 4. Verify patch application.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement web application firewall or filter to block malicious javax.faces.ViewState parameters

Configure WAF rules to inspect and block suspicious ViewState parameters
Implement input validation in web.xml

Network Segmentation

all

Isolate vulnerable systems from internet and restrict internal access

Configure firewall rules to limit access to affected systems
Implement network segmentation

🧯 If You Can't Patch

Implement strict network access controls to limit exposure to trusted IPs only
Deploy web application firewall with rules to detect and block Java deserialization attacks

🔍 How to Verify

Check if Vulnerable:

Check system version against affected versions (2.8.1 and earlier). Test with proof-of-concept exploit if authorized.

Check Version:

Check application version in web interface or configuration files specific to each product

Verify Fix Applied:

Verify version is updated beyond 2.8.1. Test with known exploit payloads to confirm they are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual Java deserialization errors in logs
Large or malformed javax.faces.ViewState parameters in HTTP requests
Unexpected Java process execution

Network Indicators:

HTTP requests with unusually large ViewState parameters
Patterns matching Java serialization payloads
Outbound connections from affected systems to unknown IPs

SIEM Query:

source="web_logs" AND (http_uri CONTAINS "javax.faces.ViewState" AND http_param_size > 10000) OR (error_message CONTAINS "java.io.InvalidClassException")

📊 Metadata

CVE ID: CVE-2020-12133

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: April 27, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/157383/Furukawa-Electric-ConsciusMAP-2.8.1-Java-Deserialization-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://www.furukawa.co.jp Product
https://www.tecnoredsa.com.ar Product
http://packetstormsecurity.com/files/157383/Furukawa-Electric-ConsciusMAP-2.8.1-Java-Deserialization-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://www.furukawa.co.jp Product
https://www.tecnoredsa.com.ar Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-12133, you might also want to check these: