Lucene search
This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.HP_NETWORK_AUTOMATION_HPSBGN03649.NASLHistoryOct 04, 2016 - 12:00 a.m.
HP Network Automation RMI Registry Java Object Deserialization RCE
2016-10-0400:00:00
This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
54
The HP Network Automation application running on the remote host is version 9.1x, 9.2x, 10.00.x prior to 10.00.02.01, 10.10.x, or 10.11.x prior to 10.11.00.01. It is, therefore, affected by a remote code execution vulnerability in the RMI registry due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this, by sending a specially crafted request, to execute arbitrary code on the target host.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(93844);
script_version("1.9");
script_cvs_date("Date: 2019/11/14");
script_cve_id("CVE-2016-4385");
script_bugtraq_id(93109);
script_xref(name:"HP", value:"emr_na-c05279098");
script_xref(name:"HP", value:"HPSBGN03649");
script_xref(name:"HP", value:"PSRT110129");
script_xref(name:"ZDI", value:"ZDI-16-523");
script_xref(name:"CERT", value:"576313");
script_xref(name:"TRA", value:"TRA-2016-27");
script_name(english:"HP Network Automation RMI Registry Java Object Deserialization RCE");
script_summary(english:"Checks the version of HP Network Automation.");
script_set_attribute(attribute:"synopsis", value:
"An application running on the remote host is affected by a remote code
execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The HP Network Automation application running on the remote host is
version 9.1x, 9.2x, 10.00.x prior to 10.00.02.01, 10.10.x, or
10.11.x prior to 10.11.00.01. It is, therefore, affected by a remote
code execution vulnerability in the RMI registry due to unsafe
deserialize calls of unauthenticated Java objects to the Apache
Commons Collections (ACC) library. An unauthenticated, remote attacker
can exploit this, by sending a specially crafted request, to execute
arbitrary code on the target host.");
# https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c05279098
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?21120a0f");
# https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9c6d83db");
script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2016-27");
script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:X");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-4385");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"in_the_news", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/28");
script_set_attribute(attribute:"patch_publication_date", value:"2016/09/20");
script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/04");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:network_automation");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("hp_network_automation_detect.nbin");
script_require_keys("installed_sw/HP Network Automation");
script_require_ports("Services/www", 443);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");
app_name = "HP Network Automation";
get_install_count(app_name:app_name, exit_if_zero:TRUE);
port = get_http_port(default:443);
install = get_single_install(app_name:app_name, port:port, exit_if_unknown_ver:TRUE);
version = install['version'];
url = build_url(port:port,qs:install['path']);
fix = NULL;
if (version =~ "^9\.1[0-9](\.|$)")
{
fix = "10.20";
}
else if (version =~ "^9\.2[0-9](\.|$)")
{
fix = "10.20";
}
else if (version =~ "^10\.00(\.|$)")
{
fix = "10.00.02.01";
}
else if (version =~ "^10.1[0-1](\.|$)")
{
fix="10.11.00.01";
}
if (isnull(fix))
audit(AUDIT_WEB_APP_NOT_AFFECTED, app_name, url, version);
if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0 )
{
items = make_array("URL", url,
"Installed version", version,
"Fixed version", fix
);
order = make_list("URL", "Installed version", "Fixed version");
report = report_items_str(report_items:items, ordered_fields:order);
security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
exit(0);
}
else
audit(AUDIT_WEB_APP_NOT_AFFECTED, app_name, url, version);
| Vendor | Product | Version | CPE |
|---|---|---|---|
| hp | network_automation | cpe:/a:hp:network_automation |
Related
cve
cve
CVE-2016-4385
2016-09-29 14:59:00
zdi
zdi
prion
prion
Design/Logic Flaw
2016-09-29 14:59:00
impervablog
impervablog
Deserialization Attacks Surge Motivated by Illegal Crypto-mining
2018-01-24 17:45:08
Related for HP_NETWORK_AUTOMATION_HPSBGN03649.NASL