Vulnerabilities > CVE-2015-2137 - Remote Code Execution vulnerability in HP Operations Manager i

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
hp
critical
nessus

Summary

Unspecified vulnerability in HP Operations Manager i (OMi) 9.22, 9.23, 9.24, 9.25, 10.00, and 10.01 allows remote attackers to execute arbitrary code via unknown vectors.

Nessus

NASL familyMisc.
NASL idHP_OPERATIONS_MANAGER_I_HPSBGN03393.NASL
descriptionThe version of HP Operations Manager i (OMi) installed on the remote host is missing a security patch that fixes an unspecified remote code execution vulnerability.
last seen2020-06-01
modified2020-06-02
plugin id85626
published2015-08-25
reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/85626
titleHP Operations Manager i (OMi) Unspecified RCE
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(85626);
  script_version("1.6");
  script_cvs_date("Date: 2019/11/22");

  script_cve_id("CVE-2015-2137");
  script_bugtraq_id(76360);
  script_xref(name:"HP", value:"HPSBGN03393");
  script_xref(name:"IAVB", value:"2015-B-0104");
  script_xref(name:"HP", value:"SSRT102189");
  script_xref(name:"HP", value:"emr_na-c04762687");

  script_name(english:"HP Operations Manager i (OMi) Unspecified RCE");
  script_summary(english:"Checks for the patch.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by an unspecified remote code execution
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of HP Operations Manager i (OMi) installed on the remote
host is missing a security patch that fixes an unspecified remote code
execution vulnerability.");
  # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c04762687
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b18d327e");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch per the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2137");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/08/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/08/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/25");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:operations_manager_i");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("hp_operations_manager_i_installed.nbin");
  script_require_keys("installed_sw/HP Operations Manager i");
  script_require_ports(139, 445);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("smb_func.inc");
include("smb_hotfixes_fcheck.inc");
include("bsal.inc");
include("byte_func.inc");
include("zip.inc");
include("obj.inc");
include("install_func.inc");

global_var appname;
appname = "HP Operations Manager i";

function is_patched(version, patch, path)
{
  local_var item, ip_level, ip_fix, war_path, war_file, share, war_ver,
            manifest_contents, war_fix, hotfix, port, login, fh, rc, pass,
            domain;

  if(version =~ "^0?9\.22$" || version =~ "0?9\.23$")
    return "9.24 with patch";

  ip_fix = 1;
  if(version == "10.00") ip_fix = 2;

  if(isnull(patch))
    return version + ' IP ' + ip_fix;

  item = eregmatch(pattern:"^[0-9.]+ IP ([0-9]+)($|[^0-9])",
                   string:patch);

  if(isnull(item) || isnull(item[1]))
    exit(1, "Unable to parse patch information : '" + patch + "'");

  ip_level = int(item[1]);

  if(ip_fix < ip_level)
    return version + ' IP ' + ip_fix;

  war_path = "wde\webapps\opr-gateway.war";
  if(version =~ "^10\.") war_path = "opr\webapps\opr-gateway.war";

  war_path = hotfix_append_path(path:path, value:war_path);

  war_file = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1",
                          string:war_path);

  share = hotfix_path2share(path:war_path);

  # Connect to the appropriate share.
  port    =  kb_smb_transport();
  login   =  kb_smb_login();
  pass    =  kb_smb_password();
  domain  =  kb_smb_domain();

  if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');

  rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
  if (rc != 1)
  {
    NetUseDel();
    audit(AUDIT_SHARE_FAIL, share);
  }

  fh = CreateFile(
    file:war_file,
    desired_access:GENERIC_READ,
    file_attributes:FILE_ATTRIBUTE_NORMAL,
    share_mode:FILE_SHARE_READ,
    create_disposition:OPEN_EXISTING
  );

  if (isnull(fh))
  {
    NetUseDel();
    exit(1, "Unable to open '" + war_path + "'.");
  }

  manifest_contents = zip_parse(smb:fh, "META-INF/MANIFEST.MF");

  CloseFile(handle:fh);
  NetUseDel();

  if("Implementation-Version" >!< manifest_contents ||
     "Implementation-Build" >!< manifest_contents)
    exit(1, 'Error parsing MANIFEST.MF.');

  item = eregmatch(pattern:"Implementation-Version\s*:\s*([\d.]+)\s*($|[\r\n])",
                   string:manifest_contents);

  if(isnull(item) || isnull(item[1]))
    exit(1, 'Error parsing Implementation-Version from MANIFEST.MF.');

  war_ver = item[1];

  item = eregmatch(pattern:"Implementation-Build\s*:\s*([\d]+)\s*($|[\r\n])",
                   string:manifest_contents);

  if(isnull(item) || isnull(item[1]))
    exit(1, 'Error parsing Implementation-Build from MANIFEST.MF.');

  war_ver += '.' + item[1];

  war_fix = '9.24.164.55810';
  hotfix = 'OMI_00114';
 
  if(version =~ "^0?9\.25$")
  {
    hotfix = 'OMI_00112';
    war_fix = '9.25.311.55760';
  }
  else if(version == "10.00")
  {
    hotfix = 'OMI_00108';
    war_fix = '10.00.326.55620';
  }
  else if(version == "10.01")
  {
    hotfix = 'OMI_00110';
    war_fix = '10.01.112.55594';
  }

  if(ver_compare(ver:war_ver, fix:war_fix, strict:FALSE) == -1)
   return version + " " + ip_level + " hotfix " + hotfix;

  return '';
}

install = get_single_install(app_name:appname, exit_if_unknown_ver:TRUE);
version = install['version'];
patch   = install['Patch'];
path    = install['path'];

if(version !~ "^0?9\.2[234]$" && version !~ "^10\.0[01]$")
  audit(AUDIT_INST_PATH_NOT_VULN, appname, version, path);

fix = is_patched(version:version, patch:patch, path:path);

if (fix != '')
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Path              : ' + path +
      '\n  Installed version : ' + version;
    if(!isnull(patch)) report +=
      '\n  Installed patch   : ' + patch;
    report +=
      '\n  Fixed version     : ' + fix +
      '\n';
    security_hole(port:kb_smb_transport(), extra:report);
  }
  else security_hole(kb_smb_transport());
  exit(0);
}
else audit(AUDIT_INST_PATH_NOT_VULN, appname, version, path);