Description
This vulnerability allows remote attackers to delete arbitrary directories on vulnerable installations of Hewlett Packard Enterprise Intelligent Management Center. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within mibFileServlet servlet, which listens on TCP ports 8080 and 8443 by default. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete any directories accessible to SYSTEM.
Related
{"id": "ZDI-17-835", "vendorId": null, "type": "zdi", "bulletinFamily": "info", "title": "Hewlett Packard Enterprise Intelligent Management Center mibFileServlet Directory Traversal Denial of Service Vulnerability", "description": "This vulnerability allows remote attackers to delete arbitrary directories on vulnerable installations of Hewlett Packard Enterprise Intelligent Management Center. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within mibFileServlet servlet, which listens on TCP ports 8080 and 8443 by default. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete any directories accessible to SYSTEM.", "published": "2017-10-03T00:00:00", "modified": "2017-10-03T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 6.8, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, "href": "https://www.zerodayinitiative.com/advisories/ZDI-17-835/", "reporter": "Steven Seeley (mr_me) of Offensive Security", "references": ["https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03777en_us"], "cvelist": ["CVE-2017-12560"], "immutableFields": [], "lastseen": "2022-02-10T00:00:00", "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-12560"]}, {"type": "nessus", "idList": ["HP_IMC_73_E0506P03.NASL"]}], "rev": 4}, "score": {"value": 2.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2017-12560"]}, {"type": "nessus", "idList": ["HP_IMC_73_E0506P03.NASL"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2017-12560", "epss": "0.003330000", "percentile": "0.665740000", "modified": "2023-03-14"}], "vulnersScore": 2.5}, "_state": {"dependencies": 1645488226, "score": 1659775931, "epss": 1678841637}}
{"cve": [{"lastseen": "2023-02-08T15:46:45", "description": "A Remote Denial of Service vulnerability in HPE Intelligent Management Center (iMC) PLAT version iMC Plat 7.3 E0504P2 was found.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-02-15T22:29:00", "type": "cve", "title": "CVE-2017-12560", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 6.8, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12560"], "modified": "2018-02-25T22:56:00", "cpe": ["cpe:/a:hp:intelligent_management_center:7.3"], "id": "CVE-2017-12560", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12560", "cvss": {"score": 6.8, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:a:hp:intelligent_management_center:7.3:e0504p02:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2023-02-04T14:49:39", "description": "The version of HPE Intelligent Management Center (iMC) PLAT installed on the remote host is prior to 7.3 E0506P03. It is, therefore, affected by multiple vulnerabilities that can be exploited to execute arbitrary code.\n\nNote that Intelligent Management Center (iMC) is an HPE product;\nhowever, it is branded as H3C.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-10-06T00:00:00", "type": "nessus", "title": "H3C / HPE Intelligent Management Center PLAT < 7.3 E0506P03 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12554", "CVE-2017-12556", "CVE-2017-12557", "CVE-2017-12558", "CVE-2017-12559", "CVE-2017-12560", "CVE-2017-12561"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:hp:intelligent_management_center"], "id": "HP_IMC_73_E0506P03.NASL", "href": "https://www.tenable.com/plugins/nessus/103696", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103696);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2017-12554\",\n \"CVE-2017-12556\",\n \"CVE-2017-12557\",\n \"CVE-2017-12558\",\n \"CVE-2017-12559\",\n \"CVE-2017-12560\",\n \"CVE-2017-12561\"\n );\n script_xref(name:\"HP\", value:\"emr_na-hpesbhf03782en_us\");\n script_xref(name:\"HP\", value:\"HPESBHF03782\");\n script_xref(name:\"ZDI\", value:\"ZDI-17-830\");\n script_xref(name:\"ZDI\", value:\"ZDI-17-831\");\n script_xref(name:\"ZDI\", value:\"ZDI-17-832\");\n script_xref(name:\"ZDI\", value:\"ZDI-17-833\");\n script_xref(name:\"ZDI\", value:\"ZDI-17-834\");\n script_xref(name:\"ZDI\", value:\"ZDI-17-835\");\n script_xref(name:\"ZDI\", value:\"ZDI-17-836\");\n\n script_name(english:\"H3C / HPE Intelligent Management Center PLAT < 7.3 E0506P03 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote Windows host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of HPE Intelligent Management Center (iMC) PLAT installed\non the remote host is prior to 7.3 E0506P03. It is, therefore, affected\nby multiple vulnerabilities that can be exploited to execute arbitrary\ncode.\n\nNote that Intelligent Management Center (iMC) is an HPE product;\nhowever, it is branded as H3C.\");\n # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03782en_us\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?de291610\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to H3C / HPE iMC version 7.3 E0506P03 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-12561\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP Intelligent Management Java Deserialization RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:intelligent_management_center\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"hp_imc_detect.nbin\");\n script_require_ports(\"Services/activemq\", 61616);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Figure out which port to use\nport = get_service(svc:'activemq', default:61616, exit_on_fail:TRUE);\nversion = get_kb_item_or_exit('hp/hp_imc/'+port+'/version');\n\napp = 'HP Intelligent Management Center';\n\nfixed_display = '7.3-E0506P03';\n\nfix = \"7.3\";\npatchfix = NULL;\n\n# check patch version if 7.3\nif (version =~ \"^7.3\\-\")\n{\n # Versions < 7.3 E0506, remove letters and dashes in version\n patch = pregmatch(pattern:\"[0-9.]+-E([0-9A-Z]+)\", string:version);\n if (!patch) audit(AUDIT_UNKNOWN_APP_VER, app);\n patchver = ereg_replace(string:patch[1], pattern:\"[A-Z\\-]\", replace:\".\");\n if (!patchver) audit(AUDIT_UNKNOWN_APP_VER, app);\n\n patchfix = \"0506.03\";\n}\n\n# if pre 7.3 or 7.3 with patchver before 0506\nif ((ver_compare(ver:version, fix:fix, strict:FALSE) < 0) ||\n (!isnull(patchfix) && ver_compare(ver:patchver, fix:patchfix, strict:FALSE) < 0))\n{\n items = make_array(\n \"Installed version\", version,\n \"Fixed version\", fixed_display\n );\n\n order = make_list(\"Installed version\", \"Fixed version\");\n report = report_items_str(report_items:items, ordered_fields:order);\n\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n exit(0);\n}\nelse\n audit(AUDIT_INST_VER_NOT_VULN, app, version);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
Hewlett Packard Enterprise Intelligent Management Center mibFileServlet Directory Traversal Denial of Service Vulnerability
