Vulnerabilities > CVE-2019-5391 - Out-of-bounds Write vulnerability in HP Intelligent Management Center

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
hp
CWE-787
critical
nessus
NVD
Published: 2019-06-05
Updated: 2020-08-24

Summary

A stack buffer overflow vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

Vulnerable Configurations

Part Description Count
Application
Hp
29

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyMisc.
    NASL idHP_IMC_DBMAN_CMD_10018_MULTI_VULNS.NASL
    descriptionThe HPE Intelligent Management Center (iMC) dbman process running on the remote host is affected by multiple vulnerabilities : - A command injection vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to execute arbitrary commands. (CVE-2019-5390) - A stack-based buffer overflow condition exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to cause a denial of service condition or the execution of arbitrary code. (CVE-2019-5391) Note that the HPE iMC running on the remote host is reportedly affected by additional vulnerabilities; however, this plugin has not tested for these.
    last seen2020-03-18
    modified2020-02-11
    plugin id133605
    published2020-02-11
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133605
    titleHPE Intelligent Management Center dbman Command 10018 Multiple Vulnerabilities
    code
    #
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(133605);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/11");

  script_cve_id("CVE-2019-5390", "CVE-2019-5391");
  script_xref(name:"TRA", value:"TRA-2019-42");

  script_name(english:"HPE Intelligent Management Center dbman Command 10018 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"A database backup and restoration tool running on the remote host is
affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The HPE Intelligent Management Center (iMC) dbman process running
on the remote host is affected by multiple vulnerabilities : 

  - A command injection vulnerability exists due to improper
    validation of user-supplied data. An unauthenticated, remote
    attacker can exploit this, via a series of specially crafted
    requests, to execute arbitrary commands. (CVE-2019-5390)

  - A stack-based buffer overflow condition exists due to improper
    validation of user-supplied data. An unauthenticated, remote
    attacker can exploit this, via a series of specially crafted
    requests, to cause a denial of service condition or the execution
    of arbitrary code. (CVE-2019-5391)

Note that the HPE iMC running on the remote host is reportedly
affected by additional vulnerabilities; however, this plugin has
not tested for these.");
  # https://medium.com/tenable-techblog/inadequate-patch-in-hewlett-packard-enterprise-imc-7-3-e0703-6aba36351ca3
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c43db212");
  script_set_attribute(attribute:"solution", value:
"Upgrade HPE iMC version to 7.3 E0705 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5390");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/11");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:intelligent_management_center");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("hp_imc_dbman_detect.nbin");
  script_require_ports("hpe_imc_dbman", 2810);

  exit(0);
}

include('audit.inc');
include('global_settings.inc');
include('misc_func.inc');
include('dump.inc');

port = get_service(svc:'hpe_imc_dbman', default:2810, exit_on_fail:TRUE);
soc = open_sock_tcp(port);
if (!soc) audit(AUDIT_SOCK_FAIL, port);

# Incomplete cmd 10018: 2-byte length instead of 4
req = '\x00\x00\x27\x22' +  # command 10018
    '\x00\x00';             # 2-byte length
send(socket: soc, data: req);
res = recv(socket: soc, length:256);
err = socket_get_error(soc);
close(soc);

if(isnull(res))
{
  # The patched dbman treats command 10018 as an encrypted command.
  # The first 4 bytes in the request is a 32-bit length field.
  # The patched dbman checks if the length field is greater than 100.
  # If so, it will close the connection.
  # Since we specified 10018 as the first 4 bytes in the request,
  # the patched dbman will return nothing and close the connection.
  if(err == ECONNRESET)
    audit(AUDIT_HOST_NOT, 'affected');

  audit(AUDIT_RESP_NOT, port, 'a dbman command');
}

# The vulnerable dbman treats command 10018 as an unencrypted
# command. It expects a 4-byte length field at position 4 in the
# request. Since we only specified a 2-byte length field in the
# request, dbman fails to read the 4-byte length field and returns
# an error response message like this:
#
#0x00:  00 00 00 01 00 00 00 3A 30 38 02 01 FF 04 33 44    .......:08....3D
#0x10:  62 6D 61 6E 20 64 65 61 6C 20 6D 73 67 20 65 72    bman deal msg er
#0x20:  72 6F 72 2C 20 70 6C 65 61 73 65 20 74 6F 20 73    ror, please to s
#0x30:  65 65 20 64 62 6D 61 6E 5F 64 65 62 75 67 2E 6C    ee dbman_debug.l
#0x40:  6F 67                                              og
#
if('dbman_debug.log' >< res)
{
  extra = 'Nessus was able to detect the vulnerabilities by sending a' +
    ' specially crafted dbman command to the remote host.';
  security_report_v4(port: port, severity: SECURITY_HOLE, extra: extra);
}
else
  audit(AUDIT_RESP_BAD, port, 'a dbman command. Response: \n' + hexdump(ddata:res));
  • NASL familyMisc.
    NASL idHP_IMC_DBMAN_MULTI_VULNS_HPESBHF03930.NASL
    descriptionThe HPE Intelligent Management Center (iMC) dbman process running on the remote host is affected by multiple vulnerabilities: - A denial of service (DoS) vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this issue, via a command 10014 request, to cause the dbman process to restart. (CVE-2018-7123) - A denial of service (DoS) vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this issue, via a command 10003 request, to cause the dbman process to stop responding. (CVE-2019-5355) - A command injection vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to execute arbitrary commands. (CVE-2019-5390) - A stack-based buffer overflow condition exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to cause a denial of service condition or the execution of arbitrary code. (CVE-2019-5391) - An information disclosure vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a command 10001 request, to disclose potentially sensitive information. (CVE-2019-5392) - An information disclosure vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a command 10002 request, to backup iMC database files to a directory that allows unauthenticated access over HTTP. (CVE-2019-5393) Note that the HPE iMC running on the remote host is reportedly affected by additional vulnerabilities; however, this plugin has not tested for these.
    last seen2020-06-01
    modified2020-06-02
    plugin id125736
    published2019-06-06
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125736
    titleHPE Intelligent Management Center dbman Multiple Vulnerabilities
    code
    #
# (C) Tenable Network Security, Inc.
#
include("compat.inc");

if (description)
{
  script_id(125736);
  script_version("1.3");
  script_cvs_date("Date: 2020/02/11");

  script_cve_id(
    "CVE-2018-7123",
    "CVE-2019-5355",
    "CVE-2019-5390",
    "CVE-2019-5391",
    "CVE-2019-5392",
    "CVE-2019-5393"
    );
  script_xref(name:"TRA", value:"TRA-2018-28");
  script_xref(name:"TRA", value:"TRA-2019-12");
  script_xref(name:"HP", value:"HPESBHF03930");

  script_name(english:"HPE Intelligent Management Center dbman Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"A database backup and restoration tool running on the remote host is
affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The HPE Intelligent Management Center (iMC) dbman process running
on the remote host is affected by multiple vulnerabilities:

  - A denial of service (DoS) vulnerability exists due to improper
    validation of user-supplied data. An unauthenticated, remote
    attacker can exploit this issue, via a command 10014 request, to
    cause the dbman process to restart. (CVE-2018-7123)

  - A denial of service (DoS) vulnerability exists due to improper
    validation of user-supplied data. An unauthenticated, remote
    attacker can exploit this issue, via a command 10003 request, to
    cause the dbman process to stop responding. (CVE-2019-5355)

  - A command injection vulnerability exists due to improper
    validation of user-supplied data. An unauthenticated, remote
    attacker can exploit this, via a series of specially crafted
    requests, to execute arbitrary commands. (CVE-2019-5390)

  - A stack-based buffer overflow condition exists due to improper
    validation of user-supplied data. An unauthenticated, remote
    attacker can exploit this, via a series of specially crafted
    requests, to cause a denial of service condition or the execution
    of arbitrary code. (CVE-2019-5391)

  - An information disclosure vulnerability exists due to improper
    validation of user-supplied data. An unauthenticated, remote
    attacker can exploit this, via a command 10001 request, to
    disclose potentially sensitive information. (CVE-2019-5392)

  - An information disclosure vulnerability exists due to improper
    validation of user-supplied data. An unauthenticated, remote
    attacker can exploit this, via a command 10002 request, to
    backup iMC database files to a directory that allows
    unauthenticated access over HTTP. (CVE-2019-5393)

Note that the HPE iMC running on the remote host is reportedly
affected by additional vulnerabilities; however, this plugin has
not tested for these.");
  # https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03930en_us
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f3575044");
  script_set_attribute(attribute:"solution", value:
"Upgrade HPE iMC version to 7.3 E0703 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5390");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/06/06");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:intelligent_management_center");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_dependencies("hp_imc_dbman_detect.nbin");
  script_require_ports("hpe_imc_dbman",2810);
  exit(0);
}

include('audit.inc');
include('global_settings.inc');
include('misc_func.inc');
include('byte_func.inc');
include('dump.inc');

port = get_service(svc:'hpe_imc_dbman', default:2810, exit_on_fail:TRUE);
soc = open_sock_tcp(port);
if (!soc) audit(AUDIT_SOCK_FAIL, port);

cmd = 10021; # get_version
req = mkdword(cmd) + '\x00\x00\x00\x00';
send(socket: soc, data: req);
res = recv(socket: soc, length:256);
err = socket_get_error(soc);
close(soc);

if(isnull(res))
{
  # The dbman in iMC 7.3 E0705 or later treats command 10021
  # as an encrypted command. The first 4 bytes in the request
  # is a 32-bit length field. The dbman in these versions checks
  # if the length field is greater than 100. If so, it will close
  # the connection.
  #
  # Since we specified 10021 as the first 4 bytes in the request,
  # the dbman in these verions will return nothing and close
  # the connection.
  if(err == ECONNRESET)
    audit(AUDIT_HOST_NOT, 'affected');

  audit(AUDIT_RESP_NOT, port, 'a dbman command');
}

rlen = strlen(res);
#
# Patched dbman encrypts the command, so an error msg is returned:
#
# 0x00:  00 00 00 01 00 00 00 3A 30 38 02 01 FF 04 33 44    .......:08....3D
# 0x10:  62 6D 61 6E 20 64 65 61 6C 20 6D 73 67 20 65 72    bman deal msg er
# 0x20:  72 6F 72 2C 20 70 6C 65 61 73 65 20 74 6F 20 73    ror, please to s
# 0x30:  65 65 20 64 62 6D 61 6E 5F 64 65 62 75 67 2E 6C    ee dbman_debug.l
# 0x40:  6F 67
#
if('dbman_debug.log' >< res)
  audit(AUDIT_HOST_NOT, 'affected');
#
# Vulnerable dbman should return a response like this:
#
# 0x00:  00 00 27 25 00 00 00 07 30 05 04 03 37 2E 33       ..'%....0...7.3
#
else if (rlen > 8 &&
  # cmd must be in response
  getdword(blob:res, pos:0) == cmd &&
  # resp length field + 8 must be pkt_len
  getdword(blob:res, pos:4) + 8 == rlen &&
  # resp data must be an ASN sequence
  getbyte(blob:res, pos:8) == 0x30
)
{
  extra = 'Nessus was able to detect the vulnerabilities by sending a' +
    ' specially crafted dbman command to the remote host.';
  security_report_v4(port: port, severity: SECURITY_HOLE, extra: extra);
}
else
  audit(AUDIT_RESP_BAD, port, 'a dbman command. Response: \n' + hexdump(ddata:res));

References