Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Expression Language Injection Remote Code Execution Vulnerability
2017-08-11T00:00:00
ID ZDI-17-653 Type zdi Reporter Steven Seeley (mr_me) of Offensive Security Modified 2017-06-22T00:00:00
Description
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett Packard Enterprise Intelligent Management Center. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of the beanName parameter provided to the perfInsListServer.gwtsvc endpoint. When parsing this parameter, the process does not properly validate a user-supplied string before using it to render a page. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.
{"published": "2017-08-11T00:00:00", "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-12489"]}, {"type": "nessus", "idList": ["HP_IMC_73_E0506.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310811626"]}], "modified": "2020-06-22T11:41:15", "rev": 2}, "score": {"value": 3.8, "vector": "NONE", "modified": "2020-06-22T11:41:15", "rev": 2}, "vulnersScore": 3.8}, "id": "ZDI-17-653", "title": "Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Expression Language Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "viewCount": 0, "edition": 2, "reporter": "Steven Seeley (mr_me) of Offensive Security", "references": ["https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us"], "type": "zdi", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett Packard Enterprise Intelligent Management Center. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of the beanName parameter provided to the perfInsListServer.gwtsvc endpoint. When parsing this parameter, the process does not properly validate a user-supplied string before using it to render a page. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.", "cvelist": ["CVE-2017-12489"], "href": "https://www.zerodayinitiative.com/advisories/ZDI-17-653/", "modified": "2017-06-22T00:00:00", "lastseen": "2020-06-22T11:41:15", "scheme": null}
{"cve": [{"lastseen": "2020-10-03T13:07:34", "description": "A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version PLAT 7.3 (E0504) was found. The problem was resolved in HPE Intelligent Management Center PLAT v7.3 (E0506) or any subsequent version.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-02-15T22:29:00", "title": "CVE-2017-12489", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12489"], "modified": "2018-02-23T17:48:00", "cpe": ["cpe:/a:hp:intelligent_management_center:7.3"], "id": "CVE-2017-12489", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12489", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:intelligent_management_center:7.3:e0504:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-03-05T18:33:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12527", "CVE-2017-12495", "CVE-2017-12489", "CVE-2017-12509", "CVE-2017-12490", "CVE-2017-12488", "CVE-2017-12540", "CVE-2017-12516", "CVE-2017-12493", "CVE-2017-12487", "CVE-2017-12496", "CVE-2017-12537", "CVE-2017-12514", "CVE-2017-12518", "CVE-2017-12532", "CVE-2017-12520", "CVE-2017-12531", "CVE-2017-12528", "CVE-2017-12515", "CVE-2017-12512", "CVE-2017-12521", "CVE-2017-12526", "CVE-2017-12491", "CVE-2017-12498", "CVE-2017-12524", "CVE-2017-12539", "CVE-2017-12530", "CVE-2017-12533", "CVE-2017-12506", "CVE-2017-12505", "CVE-2017-12508", "CVE-2017-12541", "CVE-2017-12494", "CVE-2017-12534", "CVE-2017-12501", "CVE-2017-12529", "CVE-2017-12536", "CVE-2017-12525", "CVE-2017-12502", "CVE-2017-12517", "CVE-2017-12522", "CVE-2017-12511", "CVE-2017-12535", "CVE-2017-12513", "CVE-2017-12500", "CVE-2017-12523", "CVE-2017-12510", "CVE-2017-12538", "CVE-2017-12503", "CVE-2017-12519", "CVE-2017-12497", "CVE-2017-12499", "CVE-2017-12504", "CVE-2017-12492", "CVE-2017-12507"], "description": "This host is installed with HP Intelligent\n Management Center (iMC) and is prone to multiple RCE vulnerabilities.", "modified": "2020-03-04T00:00:00", "published": "2017-08-17T00:00:00", "id": "OPENVAS:1361412562310811626", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811626", "type": "openvas", "title": "HP Intelligent Management Center (iMC) Multiple RCE Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# HP Intelligent Management Center (iMC) Multiple RCE Vulnerabilities\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:hp:intelligent_management_center\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811626\");\n script_version(\"2020-03-04T09:29:37+0000\");\n script_cve_id(\"CVE-2017-12487\", \"CVE-2017-12488\", \"CVE-2017-12489\", \"CVE-2017-12490\",\n \"CVE-2017-12491\", \"CVE-2017-12492\", \"CVE-2017-12493\", \"CVE-2017-12494\",\n \"CVE-2017-12495\", \"CVE-2017-12496\", \"CVE-2017-12497\", \"CVE-2017-12498\",\n \"CVE-2017-12499\", \"CVE-2017-12500\", \"CVE-2017-12501\", \"CVE-2017-12502\",\n \"CVE-2017-12503\", \"CVE-2017-12504\", \"CVE-2017-12505\", \"CVE-2017-12506\",\n \"CVE-2017-12507\", \"CVE-2017-12508\", \"CVE-2017-12509\", \"CVE-2017-12510\",\n \"CVE-2017-12511\", \"CVE-2017-12512\", \"CVE-2017-12513\", \"CVE-2017-12514\",\n \"CVE-2017-12515\", \"CVE-2017-12516\", \"CVE-2017-12517\", \"CVE-2017-12518\",\n \"CVE-2017-12519\", \"CVE-2017-12520\", \"CVE-2017-12521\", \"CVE-2017-12522\",\n \"CVE-2017-12523\", \"CVE-2017-12524\", \"CVE-2017-12525\", \"CVE-2017-12526\",\n \"CVE-2017-12527\", \"CVE-2017-12528\", \"CVE-2017-12529\", \"CVE-2017-12530\",\n \"CVE-2017-12531\", \"CVE-2017-12532\", \"CVE-2017-12533\", \"CVE-2017-12534\",\n \"CVE-2017-12535\", \"CVE-2017-12536\", \"CVE-2017-12537\", \"CVE-2017-12538\",\n \"CVE-2017-12539\", \"CVE-2017-12540\", \"CVE-2017-12541\");\n script_bugtraq_id(100367);\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-03-04 09:29:37 +0000 (Wed, 04 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-08-17 15:32:25 +0530 (Thu, 17 Aug 2017)\");\n script_name(\"HP Intelligent Management Center (iMC) Multiple RCE Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is installed with HP Intelligent\n Management Center (iMC) and is prone to multiple RCE vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to multiple\n unspecified errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"HP Intelligent Management Center (iMC)\n version 7.3 E0504\");\n\n script_tag(name:\"solution\", value:\"Upgrade to HP Intelligent Management Center\n (iMC) version 7.3 E0506 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_hp_imc_detect.nasl\");\n script_mandatory_keys(\"HPE/iMC/Win/Ver\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!hpVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_equal(version:hpVer, test_version:\"7.3.E0504\"))\n{\n report = report_fixed_ver(installed_version:hpVer, fixed_version:\"7.3.E0506\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T03:15:32", "description": "The version of HPE Intelligent Management Center (iMC) PLAT installed\non the remote host is prior to 7.3 E0506. It is, therefore, affected\nby multiple vulnerabilities that can be exploited to execute arbitrary\ncode.\n\nNote that Intelligent Management Center (iMC) is an HPE product;\nhowever, it is branded as H3C.", "edition": 27, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-08-15T00:00:00", "title": "H3C / HPE Intelligent Management Center PLAT < 7.3 E0506 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12527", "CVE-2017-12495", "CVE-2017-12489", "CVE-2017-12509", "CVE-2017-12490", "CVE-2017-12488", "CVE-2017-12540", "CVE-2017-12516", "CVE-2017-12493", "CVE-2017-12487", "CVE-2017-12496", "CVE-2017-12537", "CVE-2017-12514", "CVE-2017-12518", "CVE-2017-12532", "CVE-2017-12520", "CVE-2017-12531", "CVE-2017-12528", "CVE-2017-12515", "CVE-2017-12512", "CVE-2017-12521", "CVE-2017-12526", "CVE-2017-12491", "CVE-2017-12498", "CVE-2017-12524", "CVE-2017-12539", "CVE-2017-12530", "CVE-2017-12533", "CVE-2017-12506", "CVE-2017-12505", "CVE-2017-12508", "CVE-2017-12541", "CVE-2017-12494", "CVE-2017-12534", "CVE-2017-12501", "CVE-2017-12529", "CVE-2017-12536", "CVE-2017-12525", "CVE-2017-12502", "CVE-2017-12517", "CVE-2017-12522", "CVE-2017-12511", "CVE-2017-12535", "CVE-2017-12513", "CVE-2017-12500", "CVE-2017-12523", "CVE-2017-12510", "CVE-2017-12538", "CVE-2017-12503", "CVE-2017-12519", "CVE-2017-12497", "CVE-2017-12499", "CVE-2017-12504", "CVE-2017-12492", "CVE-2017-12507"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:hp:intelligent_management_center"], "id": "HP_IMC_73_E0506.NASL", "href": "https://www.tenable.com/plugins/nessus/102500", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102500);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-12487\",\n \"CVE-2017-12488\",\n \"CVE-2017-12489\",\n \"CVE-2017-12490\",\n \"CVE-2017-12491\",\n \"CVE-2017-12492\",\n \"CVE-2017-12493\",\n \"CVE-2017-12494\",\n \"CVE-2017-12495\",\n \"CVE-2017-12496\",\n \"CVE-2017-12497\",\n \"CVE-2017-12498\",\n \"CVE-2017-12499\",\n \"CVE-2017-12500\",\n \"CVE-2017-12501\",\n \"CVE-2017-12502\",\n \"CVE-2017-12503\",\n \"CVE-2017-12504\",\n \"CVE-2017-12505\",\n \"CVE-2017-12506\",\n \"CVE-2017-12507\",\n \"CVE-2017-12508\",\n \"CVE-2017-12509\",\n \"CVE-2017-12510\",\n \"CVE-2017-12511\",\n \"CVE-2017-12512\",\n \"CVE-2017-12513\",\n \"CVE-2017-12514\",\n \"CVE-2017-12515\",\n \"CVE-2017-12516\",\n \"CVE-2017-12517\",\n \"CVE-2017-12518\",\n \"CVE-2017-12519\",\n \"CVE-2017-12520\",\n \"CVE-2017-12521\",\n \"CVE-2017-12522\",\n \"CVE-2017-12523\",\n \"CVE-2017-12524\",\n \"CVE-2017-12525\",\n \"CVE-2017-12526\",\n \"CVE-2017-12527\",\n \"CVE-2017-12528\",\n \"CVE-2017-12529\",\n \"CVE-2017-12530\",\n \"CVE-2017-12531\",\n \"CVE-2017-12532\",\n \"CVE-2017-12533\",\n \"CVE-2017-12534\",\n \"CVE-2017-12535\",\n \"CVE-2017-12536\",\n \"CVE-2017-12537\",\n \"CVE-2017-12538\",\n \"CVE-2017-12539\",\n \"CVE-2017-12540\",\n \"CVE-2017-12541\"\n );\n script_xref(name:\"HP\", value:\"emr_na-hpesbhf03768en_us\");\n script_xref(name:\"HP\", value:\"HPESBHF03768\");\n\n script_name(english:\"H3C / HPE Intelligent Management Center PLAT < 7.3 E0506 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of HPE Intelligent Management Center.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote Windows host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of HPE Intelligent Management Center (iMC) PLAT installed\non the remote host is prior to 7.3 E0506. It is, therefore, affected\nby multiple vulnerabilities that can be exploited to execute arbitrary\ncode.\n\nNote that Intelligent Management Center (iMC) is an HPE product;\nhowever, it is branded as H3C.\");\n # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8768af0a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to H3C / HPE iMC version 7.3 E0506 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-12541\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/08/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:intelligent_management_center\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"hp_imc_detect.nbin\");\n script_require_ports(\"Services/activemq\", 61616);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Figure out which port to use\nport = get_service(svc:'activemq', default:61616, exit_on_fail:TRUE);\nversion = get_kb_item_or_exit('hp/hp_imc/'+port+'/version');\n\napp = 'HP Intelligent Management Center';\n\nfixed_display = '7.3-E0506';\n\nfix = NULL;\npatchfix = NULL;\n\nif (version =~ \"^[0-6](\\.[0-9]+)*$\" || # e.g. 5, 6.999\n version =~ \"^7\\.0([0-9]|\\.[0-9]+)*$\" || # e.g. 7.01, 7.0.2\n version =~ \"^7(\\.[0-2])?$\" # e.g. 7, 7.1, 7.2\n)\n{\n fix = \"7.3\";\n}\n\n# check patch version if 7.3\nelse if (version =~ \"^7.3\\-\")\n{\n # Versions < 7.3 E0506, remove letters and dashes in version\n patch = pregmatch(pattern:\"[0-9.]+-E([0-9A-Z]+)\", string:version);\n if (!patch) audit(AUDIT_UNKNOWN_APP_VER, app);\n patchver = ereg_replace(string:patch[1], pattern:\"[A-Z\\-]\", replace:\".\");\n if (!patchver) audit(AUDIT_UNKNOWN_APP_VER, app);\n\n patchfix = \"0506\";\n}\n\n# if pre 7.3 or 7.3 with patchver before 0506\nif ((!isnull(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0) ||\n (!isnull(patchfix) && ver_compare(ver:patchver, fix:patchfix, strict:FALSE) < 0))\n{\n items = make_array(\n \"Installed version\", version,\n \"Fixed version\", fixed_display\n );\n\n order = make_list(\"Installed version\", \"Fixed version\");\n report = report_items_str(report_items:items, ordered_fields:order);\n\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n exit(0);\n}\nelse\n audit(AUDIT_INST_VER_NOT_VULN, app, version);\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}]}
