Vulnerabilities > CVE-2016-4385 - Deserialization of Untrusted Data vulnerability in HP Network Automation

047910
CVSS 7.3 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
LOW
Integrity impact
LOW
Availability impact
LOW
network
low complexity
hp
CWE-502
nessus
NVD
Published: 2016-09-29
Updated: 2018-02-17

Summary

The RMI service in HP Network Automation Software 9.1x, 9.2x, 10.0x before 10.00.02.01, and 10.1x before 10.11.00.01 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) and Commons BeanUtils libraries.

Vulnerable Configurations

Part Description Count
Application
Hp
10

Common Weakness Enumeration (CWE)

Nessus

NASL familyCGI abuses
NASL idHP_NETWORK_AUTOMATION_HPSBGN03649.NASL
descriptionThe HP Network Automation application running on the remote host is version 9.1x, 9.2x, 10.00.x prior to 10.00.02.01, 10.10.x, or 10.11.x prior to 10.11.00.01. It is, therefore, affected by a remote code execution vulnerability in the RMI registry due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this, by sending a specially crafted request, to execute arbitrary code on the target host.
last seen2020-06-01
modified2020-06-02
plugin id93844
published2016-10-04
reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/93844
titleHP Network Automation RMI Registry Java Object Deserialization RCE
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(93844);
  script_version("1.9");
  script_cvs_date("Date: 2019/11/14");

  script_cve_id("CVE-2016-4385");
  script_bugtraq_id(93109);
  script_xref(name:"HP", value:"emr_na-c05279098");
  script_xref(name:"HP", value:"HPSBGN03649");
  script_xref(name:"HP", value:"PSRT110129");
  script_xref(name:"ZDI", value:"ZDI-16-523");
  script_xref(name:"CERT", value:"576313");
  script_xref(name:"TRA", value:"TRA-2016-27");

  script_name(english:"HP Network Automation RMI Registry Java Object Deserialization RCE");
  script_summary(english:"Checks the version of HP Network Automation.");

  script_set_attribute(attribute:"synopsis", value:
"An application running on the remote host is affected by a remote code
execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The HP Network Automation application running on the remote host is
version 9.1x, 9.2x, 10.00.x prior to 10.00.02.01, 10.10.x, or
10.11.x prior to 10.11.00.01. It is, therefore, affected by a remote
code execution vulnerability in the RMI registry due to unsafe
deserialize calls of unauthenticated Java objects to the Apache
Commons Collections (ACC) library. An unauthenticated, remote attacker
can exploit this, by sending a specially crafted request, to execute
arbitrary code on the target host.");
  # https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c05279098
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?21120a0f");
  # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9c6d83db");
  script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2016-27");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:X");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-4385");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/09/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/04");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:network_automation");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("hp_network_automation_detect.nbin");
  script_require_keys("installed_sw/HP Network Automation");
  script_require_ports("Services/www", 443);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

app_name = "HP Network Automation";
get_install_count(app_name:app_name, exit_if_zero:TRUE);

port    = get_http_port(default:443);
install = get_single_install(app_name:app_name, port:port, exit_if_unknown_ver:TRUE);
version = install['version'];
url     = build_url(port:port,qs:install['path']);

fix = NULL;

if (version =~ "^9\.1[0-9](\.|$)")
{
  fix = "10.20";
}
else if (version =~ "^9\.2[0-9](\.|$)")
{
  fix = "10.20";
}
else if (version =~ "^10\.00(\.|$)")
{
  fix = "10.00.02.01";
}
else if (version =~ "^10.1[0-1](\.|$)")
{
  fix="10.11.00.01";
}

if (isnull(fix))
  audit(AUDIT_WEB_APP_NOT_AFFECTED, app_name, url, version);

if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0 )
{
  items = make_array("URL", url,
                     "Installed version", version,
                     "Fixed version", fix
                    );
  order = make_list("URL", "Installed version", "Fixed version");
  report = report_items_str(report_items:items, ordered_fields:order);

  security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
  exit(0);
}
else
  audit(AUDIT_WEB_APP_NOT_AFFECTED, app_name, url, version);

References