Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R3] HPE Intelligent Management Center Multiple Vulnerabilities

Critical

Synopsis

Tenable has discovered multiple vulnerabilities in HPE Intelligent Management Center 7.3 E0605 Standard.

Dbman Opcode 10002 Arbitrary Backup

A remote unauthenticated attacker may trigger a backup of iMC by sending a crafted opcode 10002 message to the dbman service over TCP port 2810. The vulnerability exists within the processing of AsnPlatManualBackupReqContent ASN.1 messages. An attacker may populate the backupDir parameter to specify the destination path to which the backup will be made. In order for an attack to be possible, the Intelligent Deployment Monitoring Agent must have been configured for backups. This scenario is highly likely based on best practices related to performing backups. A successful exploit can be accomplished by setting the backupDir to point to a location on disk that is externally accessible. By default, the iMC web application listens on HTTP port 8080, and the noAuth web directory is externally accessible. Therefore, an attacker could specify the absolute path to the noAuth directory and subsequently download the backup files.

Below is a list of files that are produced by the backup process. Note that the timestamp is subject to change.

  • 127.0.0.1@aclm_db_imc_aclm_db_20180614_163110_full.db
  • plat_20180614_163110.zip
  • 127.0.0.1@config_db_imc_config_db_20180614_163110_full.db
  • icc_20180614_163110.zip
  • 127.0.0.1@invent_db_imc_inventory_db_20180614_163110_full.db
  • 127.0.0.1@icc_db_imc_icc_db_20180614_163110_full.db
  • perf_20180614_163110.zip
  • 127.0.0.1@perf_db_imc_perf_db_20180614_163110_full.db
  • 127.0.0.1@monitor_db_imc_monitor_db_20180614_163110_full.db
  • report_20180614_163110.zip
  • dbman_20180614_163110.conf
  • db_catalog_20180614_163110.dat.ok
  • db_catalog_20180614_163110.dat
  • 127.0.0.1@vxlan_db_imc_vxlan_db_20180614_163110_full.db
  • 127.0.0.1@vnm_db_imc_vnm_db_20180614_163110_full.db
  • 127.0.0.1@vlanm_db_vlan_db_20180614_163110_full.db
  • 127.0.0.1@syslog_db_imc_syslog_db_20180614_163110_full.db
  • 127.0.0.1@reportplat_db_reportplat_db_20180614_163110_full.db

Dbman Opcode 10003 ‘Filename’ Denial of Service

A crafted AsnPlatManualRestoreReqContent ASN.1 message can cause a denial of service condition in the dbman service. These messages contain sequences of the AsnPlatManualRestoreItem type. By sending a restore item with a crafted fileName field value, the service can be forced to restart.

More specifically, the std::basic_string::substr() function is called on this field, and if the value is too small, an unhandled std::out_of_range exception occurs, causing the process to crash. This is due to a calculation that is made, which is then passed as an argument to substr(). Ultimately, when EAX is negative, the exception will occur. See the assembly instructions below:

.text:004201C1                 sub     eax, 17h
.text:004201C4                 push    eax
.text:004201C5                 lea     ecx, [ebp+var_5C]
.text:004201C8                 push    ecx
.text:004201C9                 lea     ecx, [ebp+var_78]
.text:004201CC                 call    ds:?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::substr(uint,uint)

Below is a stack trace generated by WinDbg when the crash occurs:

0189ef28 7321df60 KERNELBASE!RaiseException+0x58
0189ef60 732a4833 MSVCR90!CxxThrowException+0x48
0189efd0 73276344 MSVCP90!std::_String_base::_Xran+0x37
0189efe4 732770df MSVCP90!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::assign+0x1a
0189effc 73277597 MSVCP90!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::basic_string<char,std::char_traits<char>,std::allocator<char> >+0x26
0189f018 004201d2 MSVCP90!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::substr+0x1d
0189f6c4 0046506b dbman+0x201d2
0189ff0c 72901004 dbman+0x6506b
0189ff44 731e3433 ACE_v6!ACE_OS_Thread_Adapter::invoke+0x74
0189ff7c 731e34c7 MSVCR90!endthreadex+0x44
0189ff88 768d33aa MSVCR90!endthreadex+0xd8
0189ff94 76f89f72 KERNEL32!BaseThreadInitThunk+0x12
0189ffd4 76f89f45 ntdll_76f50000!RtlInitializeExceptionChain+0x63
0189ffec 00000000 ntdll_76f50000!RtlInitializeExceptionChain+0x36

JMX Insecure Config Unauthenticated Remote Code Execution

iMC's JMX service, which listens on TCP port 9091 on all interfaces by default is vulnerable to remote code execution. Additionally, the process runs with SYSTEM privileges. This vulnerability can be exploited without authentication.

Specifically, the vulnerability exists due to JMX being configured to start without requiring authentication. The startup configuration is defined in C:\Program Files\iMC\client\bin\startup.bat. JMX is configured to require SSL; however, the client is not authenticated.

The vulnerability can be exploited programmatically in the following manner:

  1. Store JMX server certificate in Java keystore. (Note: this can be retrieved remotely)
  2. Connect to JMX/RMI over TCP port 9091.
  3. A new MBean is registered, instantiating the class javax.management.loading.MLet.
  4. Using this MBean, the addURL() method is invoked. A URL pointing to an attacker-controlled JAR file is specified, which contains a custom MBean.
  5. Now, the custom MBean defined in the attacker-controlled JAR is able to be instantiated.
  6. Attacker MBean is instantiated, and attacker-defined Java code is executed.

Dbman Opcode 10001 Information Disclosure

An information disclosure vulnerability exists within the processing of AsnPlatRemoteDiskDirReqContent ASN.1 messages. By sending these messages, an attacker is able to map out the file system and discover the existence of all files and directories. This is read-only.

An iMC class named RemoteFileChooser is defined within C:\Program Files\iMC\deploy\deploy.jar. This class has implemented a user interface which allows the user to browse a remote file system using the dbman protocol.

A proof of concept (PoC) Java program has been provided below to demonstrate exploitation. Note that the PoC simply makes use of the RemoteFileChooser class. After running the program, a user interface will appear.

package imc_poc;
 
import com.h3c.imc.deploy.dma.RemoteFileChooser;
 
public class Runit {
 
	public static void main(String[] args) {
		RemoteFileChooser chooser = new RemoteFileChooser(null, "192.168.1.192");
		chooser.setPath("C:\\");
		chooser.openRemoteFileChooserDialog();
	}
}

JMX Insecure Configuration Unauthenticated Remote Information Disclosure

An information disclosure vulnerability was discovered in HPE iMC's JMX service, which listens on TCP port 9091 on all interfaces by default. This vulnerability can be exploited remotely, without authentication.

Specifically, the vulnerability exists due to JMX being configured to start without requiring authentication. The startup configuration is defined in C:\Program Files\iMC\client\bin\startup.bat. JMX is configured to require SSL; however, the client is not authenticated. Because of this, an unauthenticated attacker is able to initiate a JConsole session. Sensitive information may be read using this client.

The vulnerability can be exploited in the following manner:

  1. Store JMX server certificate in Java keystore. (Note: this can be retrieved remotely)
  2. Connect to JMX/RMI over TCP port 9091 using 'jconsole'.
  3. A user interface is now available to inspect Java Memory, Threads, Classes, VM Summary, and MBeans.
  4. In particular, the startup command listed above can be viewed in the VM Summary tab. Note that this contains the keystore password in plain text.

Dbman Opcode 10014 Unauthenticated 'kill' Denial of Service

The dbman service can be halted by sending a “kill” message. Opcode 10014 messages are processed without authentication. Once this type of message is processed, the dbman.exe process promptly reboots. This appears to be the intended functionality, as no crash occurs. Regardless of the intended behavior, a remote unauthenticated attacker may cause a denial of service.

Below are the log entries written to dbman_debug.log:

2018-07-10 09:44:34 [DEBUG] [My_Accept_Handler::handle_input] Connection established 192.168.1.191
2018-07-10 09:44:34 [DEBUG] [CDataConnStreamQueueT::deal_msg] Receive command code: 10014
2018-07-10 09:44:34 [ERROR] [CDataConnStreamQueueT::deal_msg] reveive kill msg:g_Restoring 0;g_Backupping 0.
2018-07-10 09:44:34 [DEBUG] [CommandMain] Stop CommandMain()
2018-07-10 09:44:34 [INFO] [JoinCommandThread] Begin to join command thread
2018-07-10 09:44:34 [DEBUG] [JoinCommandThread] Join command thread success
2018-07-10 09:44:34 [INFO] [JoinCommandThread] Stop successfully!
2018-07-10 09:44:34 [INFO] [DBMAN] Stop successfully!
2018-07-10 09:44:38 [INFO] [Main] Version: 7.3
2018-07-10 09:44:38 [INFO] [Main] Global directory: C:/Program Files/iMC/dbman
2018-07-10 09:44:38 [INFO] [Main] Listenning on port: 2810
2018-07-10 09:44:38 [DEBUG] [Main] arv count 1
2018-07-10 09:44:38 [DEBUG] [Main] arv 1: dbman.exe
2018-07-10 09:44:38 [INFO] [Client::connect_to_server] Starting connect to 127.0.0.1: 2810
2018-07-10 09:44:39 [DEBUG] [Client::connect_to_server] errno: 10061, strerror: connection refused
2018-07-10 09:44:39 [ERROR] [Client::connect_to_server] Connection failed
2018-07-10 09:44:39 [ERROR] [Client::send_echo_msg] Connect to server fail
2018-07-10 09:44:39 [DEBUG] [CreateCommandThread] Succeed to create command process thread .
2018-07-10 09:44:39 [DEBUG] [CommandMain] Start CommandMain()
2018-07-10 09:44:41 [INFO] [DBMAN] Startup successfully!
2018-07-10 09:44:41 [DEBUG] [NormalRun] Begin excute NormalRun
2018-07-10 09:44:41 [INFO] [NormalRun] MaxLogSize = 10485760
2018-07-10 09:44:41 [INFO] [NormalRun] ServerCount = -1
2018-07-10 09:44:41 [INFO] [NormalRun] Local ip address: 127.0.0.1
2018-07-10 09:44:41 [INFO] [NormalRun] Local ip address: 192.168.1.192
2018-07-10 09:44:41 [INFO] [NormalRun] Local ip address: 127.0.0.1
2018-07-10 09:44:41 [INFO] [NormalRun] Local ip address: fe80::e5d6:4a87:8ba6:ea82%11
2018-07-10 09:44:41 [INFO] [NormalRun] Local ip address: fe80::c3e:32a5:3f57:fe3f%13
2018-07-10 09:44:41 [INFO] [NormalRun] Local ip address: 2001:0:5cf2:8c15:c3e:32a5:3f57:fe3f

Solution

Follow HPE's recommendations in their advisory.

Disclosure Timeline

06-15-2018 - Tenable sends a write up and proof of concept to HPE. 90 day deadline set to September 13.
06-15-2018 - HPE acknowledges the report. Says they will follow up by September 19.
06-18-2018 - HPE assigns PSRT110727.
06-19-2018 - Tenable sends a new write up and proof of concept to HPE. 90 day deadline set to September 17.
06-26-2018 - Second communication attempt.
06-26-2018 - HPE assigns PSRT110731.
06-26-2018 - Tenable sends *another* write up and proof of concept to HPE. 90 day deadline set to September 25.
06-28-2018 - PSRT110736 assigned by HPE.
06-28-2018 - Tenable sends yet another write up and proof of concept to HPE. 90 day deadline set to September 26.
06-28-2018 - HPE assigns PSRT110735.
06-29-2018 - Tenable sends still another write up and proof of concept to HPE. 90 day deadline set to September 27.
06-29-2018 - HPE assigns PSRT110740.
07-10-2018 - Tenable sends a final write up and proof of concept to HPE. 90 day deadline set to October 8.
07-10-2018 - HPE assigns PSRT110743.
08-02-2018 - Tenable asks for bug fix timeline.
08-09-2018 - Tenable follows up on bug fix timeline.
08-10-2018 - HPE says "we have evaluated all of these vulnerabilities and are working on the schedule estimate," and as soon as they have something to communicate, they will share it. - 09-10-2018 - HP sends estimates of bug fix timeline. Says bugs will
09-11-2018 - Tenable replies that we will disclose on Oct. 8th.
10-01-2018 - Tenable asks whether 7.3 E0605H05 fixed PSRT110727 or PSRT110731 and states that potential fixes have been observed.
10-02-2018 - HPE says "the release you mentioned was not communicated to us as having fixed the problems you listed" and asks how we made this determination.
10-04-2018 - Tenable provides details.
10-04-2018 - HPE assures Tenable that these changes were intended to be fixed in a release (not patch). Will follow up with program manager.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2018-28
Credit:
Chris Lyne
CVSSv2 Base / Temporal Score:
10.0 / 8.6
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
Nessus Plugin ID: 119501
Affected Products:
HPE Intelligent Management Center 7.3 E0605 Standard
Risk Factor:
Critical
Additional Keywords:
PSRT110727
PSRT110731
PSRT110735
PSRT110736
PSRT110740
PSRT110743

Advisory Timeline

10-09-2018 - [R1] Initial Release
01-03-2018 - [R2] Added Solution Information
05-21-2019 - [R3] Added additional CVEs