10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
68.7%
The HPE Intelligent Management Center (iMC) dbman process running on the remote host is affected by multiple vulnerabilities :
A command injection vulnerability exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to execute arbitrary commands. (CVE-2019-5390)
A stack-based buffer overflow condition exists due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to cause a denial of service condition or the execution of arbitrary code. (CVE-2019-5391)
Note that the HPE iMC running on the remote host is reportedly affected by additional vulnerabilities; however, this plugin has not tested for these.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(133605);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/27");
script_cve_id("CVE-2019-5390", "CVE-2019-5391");
script_xref(name:"TRA", value:"TRA-2019-42");
script_name(english:"HPE Intelligent Management Center dbman Command 10018 Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"A database backup and restoration tool running on the remote host is
affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The HPE Intelligent Management Center (iMC) dbman process running
on the remote host is affected by multiple vulnerabilities :
- A command injection vulnerability exists due to improper
validation of user-supplied data. An unauthenticated, remote
attacker can exploit this, via a series of specially crafted
requests, to execute arbitrary commands. (CVE-2019-5390)
- A stack-based buffer overflow condition exists due to improper
validation of user-supplied data. An unauthenticated, remote
attacker can exploit this, via a series of specially crafted
requests, to cause a denial of service condition or the execution
of arbitrary code. (CVE-2019-5391)
Note that the HPE iMC running on the remote host is reportedly
affected by additional vulnerabilities; however, this plugin has
not tested for these.");
# https://medium.com/tenable-techblog/inadequate-patch-in-hewlett-packard-enterprise-imc-7-3-e0703-6aba36351ca3
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c43db212");
script_set_attribute(attribute:"solution", value:
"Upgrade HPE iMC version to 7.3 E0705 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5391");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/20");
script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/11");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:intelligent_management_center");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("hp_imc_dbman_detect.nbin");
script_require_ports("hpe_imc_dbman", 2810);
exit(0);
}
include('audit.inc');
include('global_settings.inc');
include('misc_func.inc');
include('dump.inc');
port = get_service(svc:'hpe_imc_dbman', default:2810, exit_on_fail:TRUE);
soc = open_sock_tcp(port);
if (!soc) audit(AUDIT_SOCK_FAIL, port);
# Incomplete cmd 10018: 2-byte length instead of 4
req = '\x00\x00\x27\x22' + # command 10018
'\x00\x00'; # 2-byte length
send(socket: soc, data: req);
res = recv(socket: soc, length:256);
err = socket_get_error(soc);
close(soc);
if(isnull(res))
{
# The patched dbman treats command 10018 as an encrypted command.
# The first 4 bytes in the request is a 32-bit length field.
# The patched dbman checks if the length field is greater than 100.
# If so, it will close the connection.
# Since we specified 10018 as the first 4 bytes in the request,
# the patched dbman will return nothing and close the connection.
if(err == ECONNRESET)
audit(AUDIT_HOST_NOT, 'affected');
audit(AUDIT_RESP_NOT, port, 'a dbman command');
}
# The vulnerable dbman treats command 10018 as an unencrypted
# command. It expects a 4-byte length field at position 4 in the
# request. Since we only specified a 2-byte length field in the
# request, dbman fails to read the 4-byte length field and returns
# an error response message like this:
#
#0x00: 00 00 00 01 00 00 00 3A 30 38 02 01 FF 04 33 44 .......:08....3D
#0x10: 62 6D 61 6E 20 64 65 61 6C 20 6D 73 67 20 65 72 bman deal msg er
#0x20: 72 6F 72 2C 20 70 6C 65 61 73 65 20 74 6F 20 73 ror, please to s
#0x30: 65 65 20 64 62 6D 61 6E 5F 64 65 62 75 67 2E 6C ee dbman_debug.l
#0x40: 6F 67 og
#
if('dbman_debug.log' >< res)
{
extra = 'Nessus was able to detect the vulnerabilities by sending a' +
' specially crafted dbman command to the remote host.';
security_report_v4(port: port, severity: SECURITY_HOLE, extra: extra);
}
else
audit(AUDIT_RESP_BAD, port, 'a dbman command. Response: \n' + hexdump(ddata:res));
Vendor | Product | Version | CPE |
---|---|---|---|
hp | intelligent_management_center | cpe:/a:hp:intelligent_management_center |
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
68.7%