Vulnerabilities > CVE-2019-5391 - Out-of-bounds Write vulnerability in HP Intelligent Management Center 7.2/7.3
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
A stack buffer overflow vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 9 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Misc. NASL id HP_IMC_DBMAN_CMD_10018_MULTI_VULNS.NASL description The HPE Intelligent Management Center (iMC) dbman process running on the remote host is affected by multiple vulnerabilities : - A command injection vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to execute arbitrary commands. (CVE-2019-5390) - A stack-based buffer overflow condition exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to cause a denial of service condition or the execution of arbitrary code. (CVE-2019-5391) Note that the HPE iMC running on the remote host is reportedly affected by additional vulnerabilities; however, this plugin has not tested for these. last seen 2020-03-18 modified 2020-02-11 plugin id 133605 published 2020-02-11 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133605 title HPE Intelligent Management Center dbman Command 10018 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(133605); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/11"); script_cve_id("CVE-2019-5390", "CVE-2019-5391"); script_xref(name:"TRA", value:"TRA-2019-42"); script_name(english:"HPE Intelligent Management Center dbman Command 10018 Multiple Vulnerabilities"); script_set_attribute(attribute:"synopsis", value: "A database backup and restoration tool running on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The HPE Intelligent Management Center (iMC) dbman process running on the remote host is affected by multiple vulnerabilities : - A command injection vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to execute arbitrary commands. (CVE-2019-5390) - A stack-based buffer overflow condition exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to cause a denial of service condition or the execution of arbitrary code. (CVE-2019-5391) Note that the HPE iMC running on the remote host is reportedly affected by additional vulnerabilities; however, this plugin has not tested for these."); # https://medium.com/tenable-techblog/inadequate-patch-in-hewlett-packard-enterprise-imc-7-3-e0703-6aba36351ca3 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c43db212"); script_set_attribute(attribute:"solution", value: "Upgrade HPE iMC version to 7.3 E0705 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5390"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/20"); script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/11"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:intelligent_management_center"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("hp_imc_dbman_detect.nbin"); script_require_ports("hpe_imc_dbman", 2810); exit(0); } include('audit.inc'); include('global_settings.inc'); include('misc_func.inc'); include('dump.inc'); port = get_service(svc:'hpe_imc_dbman', default:2810, exit_on_fail:TRUE); soc = open_sock_tcp(port); if (!soc) audit(AUDIT_SOCK_FAIL, port); # Incomplete cmd 10018: 2-byte length instead of 4 req = '\x00\x00\x27\x22' + # command 10018 '\x00\x00'; # 2-byte length send(socket: soc, data: req); res = recv(socket: soc, length:256); err = socket_get_error(soc); close(soc); if(isnull(res)) { # The patched dbman treats command 10018 as an encrypted command. # The first 4 bytes in the request is a 32-bit length field. # The patched dbman checks if the length field is greater than 100. # If so, it will close the connection. # Since we specified 10018 as the first 4 bytes in the request, # the patched dbman will return nothing and close the connection. if(err == ECONNRESET) audit(AUDIT_HOST_NOT, 'affected'); audit(AUDIT_RESP_NOT, port, 'a dbman command'); } # The vulnerable dbman treats command 10018 as an unencrypted # command. It expects a 4-byte length field at position 4 in the # request. Since we only specified a 2-byte length field in the # request, dbman fails to read the 4-byte length field and returns # an error response message like this: # #0x00: 00 00 00 01 00 00 00 3A 30 38 02 01 FF 04 33 44 .......:08....3D #0x10: 62 6D 61 6E 20 64 65 61 6C 20 6D 73 67 20 65 72 bman deal msg er #0x20: 72 6F 72 2C 20 70 6C 65 61 73 65 20 74 6F 20 73 ror, please to s #0x30: 65 65 20 64 62 6D 61 6E 5F 64 65 62 75 67 2E 6C ee dbman_debug.l #0x40: 6F 67 og # if('dbman_debug.log' >< res) { extra = 'Nessus was able to detect the vulnerabilities by sending a' + ' specially crafted dbman command to the remote host.'; security_report_v4(port: port, severity: SECURITY_HOLE, extra: extra); } else audit(AUDIT_RESP_BAD, port, 'a dbman command. Response: \n' + hexdump(ddata:res));
NASL family Misc. NASL id HP_IMC_DBMAN_MULTI_VULNS_HPESBHF03930.NASL description The HPE Intelligent Management Center (iMC) dbman process running on the remote host is affected by multiple vulnerabilities: - A denial of service (DoS) vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this issue, via a command 10014 request, to cause the dbman process to restart. (CVE-2018-7123) - A denial of service (DoS) vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this issue, via a command 10003 request, to cause the dbman process to stop responding. (CVE-2019-5355) - A command injection vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to execute arbitrary commands. (CVE-2019-5390) - A stack-based buffer overflow condition exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to cause a denial of service condition or the execution of arbitrary code. (CVE-2019-5391) - An information disclosure vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a command 10001 request, to disclose potentially sensitive information. (CVE-2019-5392) - An information disclosure vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a command 10002 request, to backup iMC database files to a directory that allows unauthenticated access over HTTP. (CVE-2019-5393) Note that the HPE iMC running on the remote host is reportedly affected by additional vulnerabilities; however, this plugin has not tested for these. last seen 2020-06-01 modified 2020-06-02 plugin id 125736 published 2019-06-06 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125736 title HPE Intelligent Management Center dbman Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(125736); script_version("1.3"); script_cvs_date("Date: 2020/02/11"); script_cve_id( "CVE-2018-7123", "CVE-2019-5355", "CVE-2019-5390", "CVE-2019-5391", "CVE-2019-5392", "CVE-2019-5393" ); script_xref(name:"TRA", value:"TRA-2018-28"); script_xref(name:"TRA", value:"TRA-2019-12"); script_xref(name:"HP", value:"HPESBHF03930"); script_name(english:"HPE Intelligent Management Center dbman Multiple Vulnerabilities"); script_set_attribute(attribute:"synopsis", value: "A database backup and restoration tool running on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The HPE Intelligent Management Center (iMC) dbman process running on the remote host is affected by multiple vulnerabilities: - A denial of service (DoS) vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this issue, via a command 10014 request, to cause the dbman process to restart. (CVE-2018-7123) - A denial of service (DoS) vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this issue, via a command 10003 request, to cause the dbman process to stop responding. (CVE-2019-5355) - A command injection vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to execute arbitrary commands. (CVE-2019-5390) - A stack-based buffer overflow condition exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to cause a denial of service condition or the execution of arbitrary code. (CVE-2019-5391) - An information disclosure vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a command 10001 request, to disclose potentially sensitive information. (CVE-2019-5392) - An information disclosure vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a command 10002 request, to backup iMC database files to a directory that allows unauthenticated access over HTTP. (CVE-2019-5393) Note that the HPE iMC running on the remote host is reportedly affected by additional vulnerabilities; however, this plugin has not tested for these."); # https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03930en_us script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f3575044"); script_set_attribute(attribute:"solution", value: "Upgrade HPE iMC version to 7.3 E0703 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5390"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/20"); script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/06/06"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:intelligent_management_center"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("hp_imc_dbman_detect.nbin"); script_require_ports("hpe_imc_dbman",2810); exit(0); } include('audit.inc'); include('global_settings.inc'); include('misc_func.inc'); include('byte_func.inc'); include('dump.inc'); port = get_service(svc:'hpe_imc_dbman', default:2810, exit_on_fail:TRUE); soc = open_sock_tcp(port); if (!soc) audit(AUDIT_SOCK_FAIL, port); cmd = 10021; # get_version req = mkdword(cmd) + '\x00\x00\x00\x00'; send(socket: soc, data: req); res = recv(socket: soc, length:256); err = socket_get_error(soc); close(soc); if(isnull(res)) { # The dbman in iMC 7.3 E0705 or later treats command 10021 # as an encrypted command. The first 4 bytes in the request # is a 32-bit length field. The dbman in these versions checks # if the length field is greater than 100. If so, it will close # the connection. # # Since we specified 10021 as the first 4 bytes in the request, # the dbman in these verions will return nothing and close # the connection. if(err == ECONNRESET) audit(AUDIT_HOST_NOT, 'affected'); audit(AUDIT_RESP_NOT, port, 'a dbman command'); } rlen = strlen(res); # # Patched dbman encrypts the command, so an error msg is returned: # # 0x00: 00 00 00 01 00 00 00 3A 30 38 02 01 FF 04 33 44 .......:08....3D # 0x10: 62 6D 61 6E 20 64 65 61 6C 20 6D 73 67 20 65 72 bman deal msg er # 0x20: 72 6F 72 2C 20 70 6C 65 61 73 65 20 74 6F 20 73 ror, please to s # 0x30: 65 65 20 64 62 6D 61 6E 5F 64 65 62 75 67 2E 6C ee dbman_debug.l # 0x40: 6F 67 # if('dbman_debug.log' >< res) audit(AUDIT_HOST_NOT, 'affected'); # # Vulnerable dbman should return a response like this: # # 0x00: 00 00 27 25 00 00 00 07 30 05 04 03 37 2E 33 ..'%....0...7.3 # else if (rlen > 8 && # cmd must be in response getdword(blob:res, pos:0) == cmd && # resp length field + 8 must be pkt_len getdword(blob:res, pos:4) + 8 == rlen && # resp data must be an ASN sequence getbyte(blob:res, pos:8) == 0x30 ) { extra = 'Nessus was able to detect the vulnerabilities by sending a' + ' specially crafted dbman command to the remote host.'; security_report_v4(port: port, severity: SECURITY_HOLE, extra: extra); } else audit(AUDIT_RESP_BAD, port, 'a dbman command. Response: \n' + hexdump(ddata:res));