Vulnerabilities > CVE-2019-5392 - Unspecified vulnerability in HP Intelligent Management Center
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
NONE Availability impact
NONE Summary
A disclosure of information vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 29 |
Exploit-Db
id | EDB-ID:47408 |
last seen | 2019-09-23 |
modified | 2019-09-23 |
published | 2019-09-23 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/47408 |
title | HPE Intelligent Management Center < 7.3 E0506P09 - Information Disclosure |
Nessus
NASL family Misc. NASL id HP_IMC_DBMAN_MULTI_VULNS_HPESBHF03930.NASL description The HPE Intelligent Management Center (iMC) dbman process running on the remote host is affected by multiple vulnerabilities: - A denial of service (DoS) vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this issue, via a command 10014 request, to cause the dbman process to restart. (CVE-2018-7123) - A denial of service (DoS) vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this issue, via a command 10003 request, to cause the dbman process to stop responding. (CVE-2019-5355) - A command injection vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to execute arbitrary commands. (CVE-2019-5390) - A stack-based buffer overflow condition exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to cause a denial of service condition or the execution of arbitrary code. (CVE-2019-5391) - An information disclosure vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a command 10001 request, to disclose potentially sensitive information. (CVE-2019-5392) - An information disclosure vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a command 10002 request, to backup iMC database files to a directory that allows unauthenticated access over HTTP. (CVE-2019-5393) Note that the HPE iMC running on the remote host is reportedly affected by additional vulnerabilities; however, this plugin has not tested for these. last seen 2020-06-01 modified 2020-06-02 plugin id 125736 published 2019-06-06 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125736 title HPE Intelligent Management Center dbman Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(125736); script_version("1.3"); script_cvs_date("Date: 2020/02/11"); script_cve_id( "CVE-2018-7123", "CVE-2019-5355", "CVE-2019-5390", "CVE-2019-5391", "CVE-2019-5392", "CVE-2019-5393" ); script_xref(name:"TRA", value:"TRA-2018-28"); script_xref(name:"TRA", value:"TRA-2019-12"); script_xref(name:"HP", value:"HPESBHF03930"); script_name(english:"HPE Intelligent Management Center dbman Multiple Vulnerabilities"); script_set_attribute(attribute:"synopsis", value: "A database backup and restoration tool running on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The HPE Intelligent Management Center (iMC) dbman process running on the remote host is affected by multiple vulnerabilities: - A denial of service (DoS) vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this issue, via a command 10014 request, to cause the dbman process to restart. (CVE-2018-7123) - A denial of service (DoS) vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this issue, via a command 10003 request, to cause the dbman process to stop responding. (CVE-2019-5355) - A command injection vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to execute arbitrary commands. (CVE-2019-5390) - A stack-based buffer overflow condition exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to cause a denial of service condition or the execution of arbitrary code. (CVE-2019-5391) - An information disclosure vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a command 10001 request, to disclose potentially sensitive information. (CVE-2019-5392) - An information disclosure vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a command 10002 request, to backup iMC database files to a directory that allows unauthenticated access over HTTP. (CVE-2019-5393) Note that the HPE iMC running on the remote host is reportedly affected by additional vulnerabilities; however, this plugin has not tested for these."); # https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03930en_us script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f3575044"); script_set_attribute(attribute:"solution", value: "Upgrade HPE iMC version to 7.3 E0703 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5390"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/20"); script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/06/06"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:intelligent_management_center"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("hp_imc_dbman_detect.nbin"); script_require_ports("hpe_imc_dbman",2810); exit(0); } include('audit.inc'); include('global_settings.inc'); include('misc_func.inc'); include('byte_func.inc'); include('dump.inc'); port = get_service(svc:'hpe_imc_dbman', default:2810, exit_on_fail:TRUE); soc = open_sock_tcp(port); if (!soc) audit(AUDIT_SOCK_FAIL, port); cmd = 10021; # get_version req = mkdword(cmd) + '\x00\x00\x00\x00'; send(socket: soc, data: req); res = recv(socket: soc, length:256); err = socket_get_error(soc); close(soc); if(isnull(res)) { # The dbman in iMC 7.3 E0705 or later treats command 10021 # as an encrypted command. The first 4 bytes in the request # is a 32-bit length field. The dbman in these versions checks # if the length field is greater than 100. If so, it will close # the connection. # # Since we specified 10021 as the first 4 bytes in the request, # the dbman in these verions will return nothing and close # the connection. if(err == ECONNRESET) audit(AUDIT_HOST_NOT, 'affected'); audit(AUDIT_RESP_NOT, port, 'a dbman command'); } rlen = strlen(res); # # Patched dbman encrypts the command, so an error msg is returned: # # 0x00: 00 00 00 01 00 00 00 3A 30 38 02 01 FF 04 33 44 .......:08....3D # 0x10: 62 6D 61 6E 20 64 65 61 6C 20 6D 73 67 20 65 72 bman deal msg er # 0x20: 72 6F 72 2C 20 70 6C 65 61 73 65 20 74 6F 20 73 ror, please to s # 0x30: 65 65 20 64 62 6D 61 6E 5F 64 65 62 75 67 2E 6C ee dbman_debug.l # 0x40: 6F 67 # if('dbman_debug.log' >< res) audit(AUDIT_HOST_NOT, 'affected'); # # Vulnerable dbman should return a response like this: # # 0x00: 00 00 27 25 00 00 00 07 30 05 04 03 37 2E 33 ..'%....0...7.3 # else if (rlen > 8 && # cmd must be in response getdword(blob:res, pos:0) == cmd && # resp length field + 8 must be pkt_len getdword(blob:res, pos:4) + 8 == rlen && # resp data must be an ASN sequence getbyte(blob:res, pos:8) == 0x30 ) { extra = 'Nessus was able to detect the vulnerabilities by sending a' + ' specially crafted dbman command to the remote host.'; security_report_v4(port: port, severity: SECURITY_HOLE, extra: extra); } else audit(AUDIT_RESP_BAD, port, 'a dbman command. Response: \n' + hexdump(ddata:res));
NASL family Misc. NASL id HP_IMC_DBMAN_CMD_10001_INFO_DISCLOSURE.NASL description The HPE Intelligent Management Center (iMC) dbman process running on the remote host is affected by an information disclosure vulnerability. An unauthenticated, remote attacker can exploit this, via a command 10001 request, to view the contents of arbitrary directories under the security context of the SYSTEM or root user. Note that the HPE iMC dbman process running on the remote host is reportedly affected by additional vulnerabilities; however, this plugin has not tested for these. last seen 2020-06-01 modified 2020-06-02 plugin id 118038 published 2018-10-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118038 title HPE Intelligent Management Center dbman Command 10001 Information Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(118038); script_version("1.4"); script_cvs_date("Date: 2019/09/25 17:12:11"); script_cve_id("CVE-2019-5392"); script_xref(name:"TRA", value:"TRA-2018-28"); script_xref(name:"HP", value:"HPESBHF03930"); script_name(english:"HPE Intelligent Management Center dbman Command 10001 Information Disclosure"); script_summary(english:"Attempts to fetch directory contents"); script_set_attribute(attribute:"synopsis", value: "A database backup and restoration tool running on the remote host is affected by an information disclosure vulnerability."); script_set_attribute(attribute:"description", value: "The HPE Intelligent Management Center (iMC) dbman process running on the remote host is affected by an information disclosure vulnerability. An unauthenticated, remote attacker can exploit this, via a command 10001 request, to view the contents of arbitrary directories under the security context of the SYSTEM or root user. Note that the HPE iMC dbman process running on the remote host is reportedly affected by additional vulnerabilities; however, this plugin has not tested for these."); # https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03930en_us script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f3575044"); script_set_attribute(attribute:"solution", value: "Upgrade HPE iMC version to 7.3 E0703 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5392"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/10"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:intelligent_management_center"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("hp_imc_dbman_detect.nbin"); script_require_ports("hpe_imc_dbman",2810); exit(0); } include('audit.inc'); include('byte_func.inc'); include('global_settings.inc'); include('misc_func.inc'); include('kerberos_func.inc'); ### # # Read a dbman response # # @param socket socket to read from # # @return ret['code'] - response code # ret['data'] - response data # NULL on error # ### function dbman_recv(socket) { local_var data, len, ret; # Read 4-byte code data = recv(socket:socket, length:4, min:4); if(isnull(data)) return NULL; ret['code'] = getdword(blob:data, pos:0); # Read 4-byte msg len data = recv(socket:socket, length:4, min:4); if(isnull(data)) return NULL; len = getdword(blob:data, pos:0); # Dubious msg len if(len > 0x10000) return NULL; # Read msg body data = NULL; if(len) { data = recv(socket:socket, length:len, min:len); if(isnull(data)) return NULL; } ret['data'] = data; return ret; } ### # # Parse command 10001 response # # @anonparam command 10001 response data # # @return parsed data # ### function get_dir_contents() { local_var data, ent, i, name, out, ret; data = _FCT_ANON_ARGS[0]; # Parse the outer sequence ret = der_parse_data(tag:0x30,data:data); if(empty_or_null(ret)) return NULL; # Parse the embedded sequence, which holds a list of # directory entries ret = der_parse_sequence(seq:ret,list:TRUE); if(empty_or_null(ret)) return NULL; # A directory should not have more than 1000 entries if(ret[0] > 1000) return NULL; out = NULL; for (i = 1; i <= ret[0]; i++) { # Each directory entry is a sequence itself ent = ret[i]; ent = der_parse_sequence(seq:ent,list:TRUE); if(empty_or_null(ent)) return NULL; # Each entry should have 3 elements if(ent[0] != 3) return NULL; # The 'name' element name = der_parse_octet_string(string: ent[1]); if(empty_or_null(name)) return NULL; out += name + '\n'; } return out; } port = get_service(svc:'hpe_imc_dbman', default:2810, exit_on_fail:TRUE); soc = open_sock_tcp(port); if (!soc) audit(AUDIT_PORT_CLOSED, port); data = der_encode_int (i:1) + # flag # Query the current directory of the dbman process der_encode_octet_string(string:"."); opcode = 10001; seq = der_encode (tag:0x30, data: data); req = mkdword(opcode) + mkdword(strlen(seq)) + seq; send(socket: soc, data: req); res = dbman_recv(socket: soc); close(soc); if(! isnull(res) && ! isnull(res['data']) && # The current directory should contain the dbman executable 'dbman' >< res['data'] && # Corretly extract the directory contents so that we can show # to the user that the info disclosure vuln indeed exists. !isnull((ret = get_dir_contents(res['data']))) ) { report = 'Nessus was able to get the contents of the current directory of the ' + 'dbman process: \n' + '\n' + ret; security_report_v4( port : port, severity : SECURITY_WARNING, extra : report ); } else { audit(AUDIT_HOST_NOT, 'affected'); }
Packetstorm
data source | https://packetstormsecurity.com/files/download/154580/hpeimc-disclose.txt |
id | PACKETSTORM:154580 |
last seen | 2019-09-24 |
published | 2019-09-23 |
reporter | Rishabh Sharma |
source | https://packetstormsecurity.com/files/154580/HPE-Intelligent-Management-Center-Information-Disclosure.html |
title | HPE Intelligent Management Center Information Disclosure |
References
- http://packetstormsecurity.com/files/154580/HPE-Intelligent-Management-Center-Information-Disclosure.html
- http://packetstormsecurity.com/files/154580/HPE-Intelligent-Management-Center-Information-Disclosure.html
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03930en_us
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03930en_us