CVE-2020-10657

Vulnerability

CVE-2020-10657 is a remote code execution vulnerability in the Proofpoint Insider Threat Management (ITM) Server (formerly ObserveIT Server) web console's ImportAlertRules feature. The vulnerability is caused by improper deserialization of user-supplied data, allowing a remote attacker with admin or config-admin privileges to execute arbitrary code with local administrator privileges. All versions of Proofpoint ITM Server prior to 7.9.1 are affected [2].

Exploitation

To exploit this vulnerability, an attacker must have valid admin or config-admin credentials for the ITM web console. With those privileges, the attacker sends a crafted serialized object to the ImportAlertRules endpoint. The server's deserialization process does not properly validate the data, leading to the execution of arbitrary code on the server [2].

Impact

Successful exploitation grants the attacker arbitrary code execution with local administrator privileges on the ITM server. This allows the attacker to fully compromise the confidentiality, integrity, and availability of the system, including the ability to modify or exfiltrate sensitive insider threat data and pivot to other internal resources [2].

Mitigation

Proofpoint released version 7.9.1 of the Insider Threat Management Server, which contains the fix for this vulnerability. Customers already running 7.9.1 require no action. All other users should upgrade to a fixed version immediately [2]. No workarounds are documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.