HP Network Automation RCE Vulnerability

2016-12-01T00:00:00

Description

HP Network Automation is prone to a remote code execution vulnerability.

{"id": "OPENVAS:1361412562310106430", "type": "openvas", "bulletinFamily": "scanner", "title": "HP Network Automation RCE Vulnerability", "description": "HP Network Automation is prone to a remote code execution vulnerability.", "published": "2016-12-01T00:00:00", "modified": "2018-10-25T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106430", "reporter": "This script is Copyright (C) 2016 Greenbone Networks GmbH", "references": ["https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05344849"], "cvelist": ["CVE-2016-8511"], "lastseen": "2019-05-29T18:35:48", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2016-1120"]}, {"type": "cve", "idList": ["CVE-2016-8511"]}, {"type": "nessus", "idList": ["HP_NETWORK_AUTOMATION_HPSBGN03677.NASL"]}, {"type": "zdi", "idList": ["ZDI-16-616"]}], "rev": 4}, "score": {"value": 8.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2016-1120"]}, {"type": "cve", "idList": ["CVE-2016-8511"]}, {"type": "nessus", "idList": ["HP_NETWORK_AUTOMATION_HPSBGN03677.NASL"]}, {"type": "zdi", "idList": ["ZDI-16-616"]}]}, "exploitation": null, "vulnersScore": 8.2}, "pluginID": "1361412562310106430", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_hp_network_automation_hpsbgn03677.nasl 12096 2018-10-25 12:26:02Z asteins $\n#\n# HP Network Automation RCE Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:hp:network_automation';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106430\");\n script_version(\"$Revision: 12096 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-25 14:26:02 +0200 (Thu, 25 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-01 11:55:23 +0700 (Thu, 01 Dec 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2016-8511\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"HP Network Automation RCE Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_hp_network_automation_detect.nasl\");\n script_mandatory_keys(\"hp/network_automation/installed\");\n\n script_tag(name:\"summary\", value:\"HP Network Automation is prone to a remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Potential security vulnerabilities in RPCServlet and Java deserialization\nwere addressed by HPE Network Automation. The vulnerabilities could be remotely exploited to allow code\nexecution.\");\n\n script_tag(name:\"impact\", value:\"An attacker may execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"HP Network Automation Software v9.1x, v9.2x, v10.00, v10.00.01, v10.00.02,\nv10.10, v10.11, v10.11.01, v10.20.\");\n\n script_tag(name:\"solution\", value:\"Install the provided patches.\");\n\n script_xref(name:\"URL\", value:\"https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05344849\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_is_less_equal(version: version, test_version: \"10.00\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"10.00.021\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version == \"10.10\") {\n report = report_fixed_ver(installed_version: version, fixed_version: \"10.11\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version == \"10.11\") {\n report = report_fixed_ver(installed_version: version, fixed_version: \"10.11.011\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version == \"10.20\") {\n report = report_fixed_ver(installed_version: version, fixed_version: \"10.20.001\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "naslFamily": "Web application abuses", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645415745}}

{"nessus": [{"lastseen": "2021-10-16T13:45:18", "description": "The HP Network Automation application running on the remote host is version 9.1x, 9.2x, or 10.00.x prior to 10.00.021; 10.10.x or 10.11.x prior to 10.11.011; or 10.20.x prior to 10.20.001. It is, therefore, affected by a remote code execution vulnerability in RPCServlet due to improper sanitization of user-supplied input before attempting deserialization of Java objects. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-12-09T00:00:00", "type": "nessus", "title": "HP Network Automation RPCServlet Java Object Deserialization RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-8511"], "modified": "2019-11-13T00:00:00", "cpe": ["cpe:/a:hp:network_automation"], "id": "HP_NETWORK_AUTOMATION_HPSBGN03677.NASL", "href": "https://www.tenable.com/plugins/nessus/95658", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95658);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\"CVE-2016-8511\");\n script_bugtraq_id(94610);\n script_xref(name:\"HP\", value:\"HPSBGN03677\");\n script_xref(name:\"HP\", value:\"emr_na-c05344849\");\n\n script_name(english:\"HP Network Automation RPCServlet Java Object Deserialization RCE\");\n script_summary(english:\"Checks the version of HP Network Automation.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application running on the remote host is affected by a remote code\nexecution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The HP Network Automation application running on the remote host is\nversion 9.1x, 9.2x, or 10.00.x prior to 10.00.021; 10.10.x or 10.11.x\nprior to 10.11.011; or 10.20.x prior to 10.20.001. It is, therefore,\naffected by a remote code execution vulnerability in RPCServlet due to\nimproper sanitization of user-supplied input before attempting\ndeserialization of Java objects. An unauthenticated, remote attacker\ncan exploit this, via a specially crafted request, to execute\narbitrary code.\");\n # https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c05344849\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?98a60471\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:X\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-8511\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:network_automation\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"hp_network_automation_detect.nbin\");\n script_require_keys(\"installed_sw/HP Network Automation\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp_name = \"HP Network Automation\";\nget_install_count(app_name:app_name, exit_if_zero:TRUE);\n\nport = get_http_port(default:443);\ninstall = get_single_install(app_name:app_name, port:port, exit_if_unknown_ver:TRUE);\nversion = install['version'];\nurl = build_url(port:port,qs:install['path']);\n\nfix = NULL;\nvuln = FALSE;\n\n# 9.1x or v9.2x should upgrade to v10.0x, or v10.1x or v10.2x\nif (version =~ \"^9\\.[1-2][0-9](\\.|$)\")\n{\n fix = \"10.0x / 10.1x / 10.2x\";\n vuln = TRUE;\n}\nelse if (version =~ \"^10\\.00(\\.|$)\")\n{\n fix = \"10.00.021\";\n}\nelse if (version =~ \"^10.1[0-1](\\.|$)\")\n{\n fix = \"10.11.011\";\n}\nelse if (version =~ \"^10.20(\\.|$)\")\n{\n fix = \"10.20.001\";\n}\n\nif (isnull(fix))\n audit(AUDIT_WEB_APP_NOT_AFFECTED, app_name, url, version);\n\nif (!vuln)\n{\n if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0 )\n vuln = TRUE;\n}\n\nif (vuln)\n{\n items = make_array(\"URL\", url,\n \"Installed version\", version,\n \"Fixed version\", fix\n );\n order = make_list(\"URL\", \"Installed version\", \"Fixed version\");\n report = report_items_str(report_items:items, ordered_fields:order);\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n exit(0);\n}\nelse\n audit(AUDIT_WEB_APP_NOT_AFFECTED, app_name, url, version);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:39:28", "description": "An insecure deserialization vulnerability has been reported in the RPCServlet of HPE Network Automation. The vulnerability is due to the deserialization of untrusted data. A remote attacker can exploit this vulnerability sending a request with crafted serialized data to the exposed RPCServlet. Successful exploitation would result in the execution of arbitrary code under the context of the process.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-12-18T00:00:00", "type": "checkpoint_advisories", "title": "HPE Network Automation RPCServlet Insecure Deserialization (CVE-2016-8511)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8511"], "modified": "2016-12-26T00:00:00", "id": "CPAI-2016-1120", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T15:53:44", "description": "A Remote Code Execution vulnerability in HPE Network Automation using RPCServlet and Java Deserialization version v9.1x, v9.2x, v10.00, v10.00.01, v10.00.02, v10.10, v10.11, v10.11.01, v10.20 was found.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-02-15T22:29:00", "type": "cve", "title": "CVE-2016-8511", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8511"], "modified": "2018-03-13T14:14:00", "cpe": ["cpe:/a:hp:network_automation:10.00", "cpe:/a:hp:network_automation:10.10", "cpe:/a:hp:network_automation:9.22", "cpe:/a:hp:network_automation:10.20", "cpe:/a:hp:network_automation:9.22.01", "cpe:/a:hp:network_automation:10.11.01", "cpe:/a:hp:network_automation:10.11", "cpe:/a:hp:network_automation:9.20", "cpe:/a:hp:network_automation:10.00.02", "cpe:/a:hp:network_automation:10.00.01", "cpe:/a:hp:network_automation:9.10", "cpe:/a:hp:network_automation:9.22.02"], "id": "CVE-2016-8511", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8511", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:hp:network_automation:9.22.01:*:*:*:*:*:*:*", "cpe:2.3:a:hp:network_automation:10.00.02:*:*:*:*:*:*:*", "cpe:2.3:a:hp:network_automation:9.10:*:*:*:*:*:*:*", "cpe:2.3:a:hp:network_automation:10.00.01:*:*:*:*:*:*:*", "cpe:2.3:a:hp:network_automation:9.20:*:*:*:*:*:*:*", "cpe:2.3:a:hp:network_automation:10.00:*:*:*:*:*:*:*", "cpe:2.3:a:hp:network_automation:10.11.01:*:*:*:*:*:*:*", "cpe:2.3:a:hp:network_automation:9.22:*:*:*:*:*:*:*", "cpe:2.3:a:hp:network_automation:10.11:*:*:*:*:*:*:*", "cpe:2.3:a:hp:network_automation:10.10:*:*:*:*:*:*:*", "cpe:2.3:a:hp:network_automation:10.20:*:*:*:*:*:*:*", "cpe:2.3:a:hp:network_automation:9.22.02:*:*:*:*:*:*:*"]}], "zdi": [{"lastseen": "2022-01-31T21:17:02", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett Packard Enterprise Network Automation. Authentication is not required to exploit this vulnerability. The specific flaw exists within the exposed RPCServlet. By sending a crafted request, the application can be made to deserialize untrusted data. An attacker can leverage this vulnerability to execute arbitrary code under the context of the process.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-30T00:00:00", "type": "zdi", "title": "Hewlett Packard Enterprise Network Automation RPCServlet Deserialization of Untrusted Data Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8511"], "modified": "2016-11-30T00:00:00", "id": "ZDI-16-616", "href": "https://www.zerodayinitiative.com/advisories/ZDI-16-616/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}

HP Network Automation RCE Vulnerability

Description

Related