Vulnerabilities > CVE-2017-12557 - Deserialization of Untrusted Data vulnerability in HP Intelligent Management Center

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
hp
CWE-502
critical
nessus
exploit available
metasploit

Summary

A Remote Code Execution vulnerability in HPE intelligent Management Center (iMC) PLAT version IMC Plat 7.3 E0504P2 and earlier was found.

Common Weakness Enumeration (CWE)

Exploit-Db

fileexploits/windows/remote/45952.rb
idEDB-ID:45952
last seen2018-12-04
modified2018-12-04
platformwindows
port8080
published2018-12-04
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/45952
titleHP Intelligent Management - Java Deserialization RCE (Metasploit)
typeremote

Metasploit

descriptionThis vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett Packard Enterprise Intelligent Management Center. Authentication is not required to exploit this vulnerability. The specific flaw exists within the WebDMDebugServlet, which listens on TCP ports 8080 and 8443 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM.
idMSF:EXPLOIT/WINDOWS/HTTP/HP_IMC_JAVA_DESERIALIZE
last seen2020-06-10
modified2018-12-18
published2018-11-10
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/hp_imc_java_deserialize.rb
titleHP Intelligent Management Java Deserialization RCE

Nessus

NASL familyMisc.
NASL idHP_IMC_73_E0506P03.NASL
descriptionThe version of HPE Intelligent Management Center (iMC) PLAT installed on the remote host is prior to 7.3 E0506P03. It is, therefore, affected by multiple vulnerabilities that can be exploited to execute arbitrary code. Note that Intelligent Management Center (iMC) is an HPE product; however, it is branded as H3C.
last seen2020-06-01
modified2020-06-02
plugin id103696
published2017-10-06
reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/103696
titleH3C / HPE Intelligent Management Center PLAT < 7.3 E0506P03 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(103696);
  script_version("1.7");
  script_cvs_date("Date: 2019/11/12");

  script_cve_id(
    "CVE-2017-12554",
    "CVE-2017-12556",
    "CVE-2017-12557",
    "CVE-2017-12558",
    "CVE-2017-12559",
    "CVE-2017-12560",
    "CVE-2017-12561"
  );
  script_xref(name:"HP", value:"emr_na-hpesbhf03782en_us");
  script_xref(name:"HP", value:"HPESBHF03782");
  script_xref(name:"ZDI", value:"ZDI-17-830");
  script_xref(name:"ZDI", value:"ZDI-17-831");
  script_xref(name:"ZDI", value:"ZDI-17-832");
  script_xref(name:"ZDI", value:"ZDI-17-833");
  script_xref(name:"ZDI", value:"ZDI-17-834");
  script_xref(name:"ZDI", value:"ZDI-17-835");
  script_xref(name:"ZDI", value:"ZDI-17-836");

  script_name(english:"H3C / HPE Intelligent Management Center PLAT < 7.3 E0506P03 Multiple Vulnerabilities");
  script_summary(english:"Checks the version of HPE Intelligent Management Center.");

  script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote Windows host is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of HPE Intelligent Management Center (iMC) PLAT installed
on the remote host is prior to 7.3 E0506P03. It is, therefore, affected
by multiple vulnerabilities that can be exploited to execute arbitrary
code.

Note that Intelligent Management Center (iMC) is an HPE product;
however, it is branded as H3C.");
  # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03782en_us
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?de291610");
  script_set_attribute(attribute:"solution", value:
"Upgrade to H3C / HPE iMC version 7.3 E0506P03 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-12561");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'HP Intelligent Management Java Deserialization RCE');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/10/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/06");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:intelligent_management_center");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("hp_imc_detect.nbin");
  script_require_ports("Services/activemq", 61616);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

# Figure out which port to use
port = get_service(svc:'activemq', default:61616, exit_on_fail:TRUE);
version = get_kb_item_or_exit('hp/hp_imc/'+port+'/version');

app = 'HP Intelligent Management Center';

fixed_display = '7.3-E0506P03';

fix = "7.3";
patchfix = NULL;

# check patch version if 7.3
if (version =~ "^7.3\-")
{
  # Versions < 7.3 E0506, remove letters and dashes in version
  patch = pregmatch(pattern:"[0-9.]+-E([0-9A-Z]+)", string:version);
  if (!patch) audit(AUDIT_UNKNOWN_APP_VER, app);
  patchver = ereg_replace(string:patch[1], pattern:"[A-Z\-]", replace:".");
  if (!patchver) audit(AUDIT_UNKNOWN_APP_VER, app);

  patchfix = "0506.03";
}

# if pre 7.3 or 7.3 with patchver before 0506
if ((ver_compare(ver:version, fix:fix, strict:FALSE) < 0) ||
    (!isnull(patchfix) && ver_compare(ver:patchver, fix:patchfix, strict:FALSE) < 0))
{
  items = make_array(
    "Installed version", version,
    "Fixed version", fixed_display
  );

  order = make_list("Installed version", "Fixed version");
  report = report_items_str(report_items:items, ordered_fields:order);

  security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
  exit(0);
}
else
  audit(AUDIT_INST_VER_NOT_VULN, app, version);

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/150615/hp_imc_java_deserialize.rb.txt
idPACKETSTORM:150615
last seen2018-12-04
published2018-12-04
reportermr_me
sourcehttps://packetstormsecurity.com/files/150615/HP-Intelligent-Management-Java-Deserialization-Remote-Code-Execution.html
titleHP Intelligent Management Java Deserialization Remote Code Execution