Activity Feed

Technical Analysis

Description

On October 12, 2020, HP Enterprise (HPE) published a security bulletin disclosing 64 separate remote code execution (RCE) and unauthorized data injection vulnerabilities in its Intelligent Management Center (IMC) product.

As of October 21, 2020, Rapid7 researchers have independently verified that 12 of the vulnerabilities were fixed in HPE IMC 7.3 patch E0705P02, which was released on December 6, 2019. The other 52 vulnerabilities appear to have been fixed in HPE IMC 7.3 patch E0705P07, which was released on October 12, 2020 along with the advisory that prompted this analysis. The cumulative advisory from HPE may have been published for the sake of mapping previously unpublished CVEs to several batches of vulnerabilities disclosed by the Zero Day Initiative (ZDI) in early 2020. We are not aware of any active exploitation as of October 28, 2020.

The CVEs included in the advisory are:

  • CVE-2020-7141 through CVE-2020-7195
  • CVE-2020-24629
  • CVE-2020-24630
  • CVE-2020-24646 through CVE-2020-24652

41 of the CVEs carry a 9.8 CVSSv3 base score, while the other 23 carry an 8.8 base score.

By cross-referencing the vulnerabilities in the advisory with ZDI’s published advisories, Rapid7 researchers determined that CVE-2020-7141 through CVE-2020-7143, CVE-2020-24629, CVE-2020-24630, and CVE-2020-24646 through CVE-2020-24652 were patched in HPE IMC version 7.3 (E0705P02), while CVE-2020-7144 through CVE-2020-7195 were presumably patched in 7.3 (E0705P07).

Affected products

We have included a full table of affected products and patch versions at the bottom of this analysis.

  • HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
    • CVE-2020-7141 through CVE-2020-7143
    • CVE-2020-24629
    • CVE-2020-24630
    • CVE-2020-24646 through CVE-2020-24652
  • HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
    • CVE-2020-7144 through CVE-2020-7195

Rapid7 analysis

HPE IMC is a well-known enterprise product whose user base presents high-value opportunities for attackers. The vast majority of the vulnerabilities in HPE’s cumulative advisory have been publicly available on ZDI’s 2020 advisories page (with technical detail) since January and February of 2020, which means that attackers have had the information they need to craft and hone attacks for the better part of a year. It’s likely that we’ll see more HPE IMC vulnerability disclosures through at least the beginning of 2021.

To test the E0705P02 patch hypothesis, Rapid7 researchers sampled CVE-2020-24648, a Java deserialization vulnerability in AccessMgrServlet. The sole Java deserialization vulnerability was chosen for the frequently and often easily exploitable nature of its bug class.

Contrary to HPE’s security bulletin, the vulnerability did require authentication to exploit, prior to the E0705P02 patch. However, Rapid7 researchers surmise that CVE-2020-24629, an authentication bypass in UrlAccessController, could possibly be leveraged to bypass CVE-2020-24648’s authentication requirement.

The E0705P02 patch to the AccessMgrServlet class’ doPost() method is shown below. The doPost() method in a Java servlet handles HTTP POST requests. Note the use of the ValidatingObjectInputStream class to validate Java objects deserialized by the readObject() method. This mitigation is only as effective as the objects it seeks to validate.

   public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-    HttpSession session = request.getSession();
-    OperatorLoginInfo operatorLoginInfo = null;
-    try {
-      operatorLoginInfo = OperatorLoginInfo.getLoginOperator(session);
-      if (runLog.isTraceEnabled())
-        runLog.trace("current operatorLoginInfo is " + operatorLoginInfo
-            .getLoginName());
-    } catch (PlatformException e) {
-      runLog.warn(null, (Throwable)e);
-      response.setContentType("application/octet-stream");
-      (new ObjectOutputStream((OutputStream)response.getOutputStream()))
-        .writeUnshared("SESSION_ERROR");
-      response.getOutputStream().flush();
-      return;
-    }
-    try {
-      Map<Integer, Set<Number>> resources = (operatorLoginInfo == null) ? null : operatorLoginInfo.getResources();
-      ValidatingObjectInputStream is = new ValidatingObjectInputStream((InputStream)request.getInputStream());
-      Class<?>[] classTypes = new Class[2];
-      classTypes[0] = Class.forName("com.h3c.imc.fault.applet.MgrReqMsg");
-      classTypes[1] = Class.forName("[B");
-      is.accept(classTypes);
-      Object o = is.readObject();
-      if (!(o instanceof MgrReqMsg)) {
-        runLog.error("received data type is not MgrReqMsg!");
-        return;
-      }
-      MgrReqMsg msg = (MgrReqMsg)o;
-      String methodName = new String(msg.methodName);
-      String className = new String(msg.className);
-      Object objRet = null;
-      MgrReqMsg resp = null;
-      if ("accessMgrServlet".equals(className))
-        if ("checkSeesion".equals(methodName)) {
-          String value = session.getId();
-          runLog.debug("check server session = " + value);
-          resp = new MgrReqMsg(className, methodName, value, false);
-          response.setContentType("application/octet-stream");
-          ObjectOutputStream objectOutputStream = new ObjectOutputStream((OutputStream)response.getOutputStream());
-          objectOutputStream.writeUnshared(resp);
-          response.getOutputStream().flush();
-          return;
-        }
-      if (this.faultBoardMgr != null && "faultBoardMgr".equals(className)) {
-        boolean needReturn = false;
-        if ("readFaultAppletData".equals(methodName)) {
-          needReturn = true;
-          objRet = this.faultBoardMgr.readFaultAppletData(resources);
-        } else if ("clearLoadFlag".equals(methodName)) {
-          needReturn = true;
-          objRet = null;
-          this.faultBoardMgr.clearLoadFlag();
-        } else if ("queryAllFaultTypeMap".endsWith(methodName)) {
-          needReturn = true;
-          objRet = this.faultBoardMgr.queryAllFaultTypeMap();
-        } else if ("queryAppletLoopInterval".endsWith(methodName)) {
-          needReturn = true;
-          objRet = Integer.valueOf(this.faultBoardMgr.queryAppletLoopInterval());
-        }
-        if (needReturn) {
-          if (objRet == null)
-            return;
-          response.setContentType("application/octet-stream");
-          ObjectOutputStream objectOutputStream = new ObjectOutputStream((OutputStream)response.getOutputStream());
-          objectOutputStream.writeUnshared(objRet);
-          response.getOutputStream().flush();
-          return;
-        }
-      }
-      Object data = null;
-      if (msg.isAsn) {
-        if (msg.msgcls != null) {
-          BERDecoder de = new BERDecoder(msg.data);
-          Object object = Class.forName(new String(msg.msgcls)).newInstance();
-          data = object;
-          ((ASN1Type)data).decode((ASN1Decoder)de);
-        }
-      } else if (msg.msgcls != null) {
-        data = Class.forName(new String(msg.msgcls)).newInstance();
-      }
-      Object bean = null;
-      Class<?> cls = null;
-      if (ServerContext.getRootAppContext().containsBean(className))
-        bean = ServerContext.getRootAppContext().getBean(className);
-      try {
-        if (bean == null) {
-          String regex = "[a-zA-Z]+[0-9a-zA-Z_]*";
-          if (Pattern.matches(regex, className))
-            bean = FacesUtils.getValueExpressionObject("#{" + className + "}");
-        }
-      } catch (Exception e) {
-        runLog.debug(null, e);
-      }
-      if (bean == null) {
-        runLog.warn("the bean " + className + " does not exist.");
-        return;
-      }
-      cls = bean.getClass();
-      List<Class<?>> classList = new ArrayList<>();
-      int rs = 1;
-      int addReq = 2;
-      int addPri = 4;
-      int addData = 8;
-      if (msg.request) {
-        classList.add(HttpServletRequest.class);
-        rs |= addReq;
-      }
-      if (msg.isPrivilege) {
-        classList.add(Map.class);
-        rs |= addPri;
-      }
-      if (msg.msgcls != null) {
-        classList.add(Class.forName(new String(msg.msgcls)));
-        rs |= addData;
-      }
-      Class<?>[] argv = new Class[classList.size()];
-      argv = (Class[])classList.<Class<?>[]>toArray((Class<?>[][])argv);
-      Method m = cls.getMethod(methodName, argv);
-      if (rs == 1) {
-        objRet = m.invoke(bean, new Object[0]);
-      } else if (rs == 3) {
-        objRet = m.invoke(bean, new Object[] { request });
-      } else if (rs == 5) {
-        objRet = m.invoke(bean, new Object[] { resources });
-      } else if (rs == 9) {
-        objRet = m.invoke(bean, new Object[] { data });
-      } else if (rs == 7) {
-        objRet = m.invoke(bean, new Object[] { request, resources });
-      } else if (rs == 11) {
-        objRet = m.invoke(bean, new Object[] { request, data });
-      } else if (rs == 13) {
-        objRet = m.invoke(bean, new Object[] { resources, data });
-      } else if (rs == 15) {
-        objRet = m.invoke(bean, new Object[] { request, resources, data });
-      } else {
-        runLog.error("request proc failed, quest code is " + rs);
-        runLog.error("request proc failed, quest MgrReqMsg is " + msg.toString());
-        return;
-      }
-      if (objRet == null)
-        return;
-      resp = new MgrReqMsg(className, methodName, objRet, false);
-      response.setContentType("application/octet-stream");
-      ObjectOutputStream oos = new ObjectOutputStream((OutputStream)response.getOutputStream());
-      oos.writeUnshared(resp);
-      response.getOutputStream().flush();
-    } catch (Exception e) {
-      runLog.warn(null, e);
-      return;
-    }
   }

The patch deletes the doPost() method’s code entirely, preventing any further vulnerabilities in that method (and perhaps proving the adage that the most secure code is code that doesn’t exist).

Curiously, the doGet() method that handles HTTP GET requests was equally modified. Since there was no authentication in this method, sending a GET request to the /imc/fault/accessMgrServlet endpoint allows defenders to detect the presence of the E0705P02 patch.

   public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-    response.setContentType("text/html; charset=GBK");
-    PrintWriter out = response.getWriter();
-    out.println("<htmlnode>");
-    out.println("<body>");
-    out.println("<p>ok</p>");
-    out.println("</body></html>");
   }

No other changes were made to the AccessMgrServlet class between E0705P02 and E0705P07, making this an effective remote check for that patch range.

Since we wanted confirmation that the authentication bypass had been patched by E0705P02, we analyzed the UrlAccessController class for any changes to the file.

Two normalizeSyntax() methods were modified; the changes can be seen below.

   private static URI normalizeSyntax(URI uri) {
     if (uri.isOpaque())
       return uri;
     String path = (uri.getPath() == null) ? "" : uri.getPath();
     String[] inputSegments = path.split("/");
     Stack<String> outputSegments = new Stack<>();
     for (String inputSegment : inputSegments) {
       if (inputSegment.length() != 0 &&
         !".".equals(inputSegment))
-        if ("..".equals(inputSegment) || StringUtils.equalsIgnoreCase("%2e%2e", inputSegment)) {
+        if ("..".equals(inputSegment) || StringUtils.equalsIgnoreCase("%2e%2e", inputSegment) ||
+          StringUtils.equalsIgnoreCase(".%2e", inputSegment) ||
+          StringUtils.equalsIgnoreCase("%2e.", inputSegment)) {
           if (!outputSegments.isEmpty())
             outputSegments.pop();
         } else {
           outputSegments.push(inputSegment);
         }
     }
     StringBuilder outputBuffer = new StringBuilder();
     for (String outputSegment : outputSegments)
       outputBuffer.append('/').append(outputSegment);
     if (path.lastIndexOf('/') == path.length() - 1)
       outputBuffer.append('/');
     try {
       String scheme = uri.getScheme().toLowerCase();
       String auth = uri.getAuthority().toLowerCase();
       URI ref = new URI(scheme, auth, outputBuffer.toString(), null, null);
       if (uri.getQuery() == null && uri.getFragment() == null)
         return ref;
       StringBuilder normalized = new StringBuilder(ref.toASCIIString());
       if (uri.getQuery() != null)
         normalized.append('?').append(uri.getRawQuery());
       if (uri.getFragment() != null)
         normalized.append('#').append(uri.getRawFragment());
       return URI.create(normalized.toString());
     } catch (URISyntaxException e) {
       throw new IllegalArgumentException(e);
     }
   }

And another normalizeSyntax() method in the same class…with a different data type.

   private static String normalizeSyntax(String path) {
     if (!StringUtils.contains(path, "..") && !StringUtils.containsIgnoreCase(path, "..") &&
-      !StringUtils.containsIgnoreCase(path, "%2e%2e"))
+      !StringUtils.containsIgnoreCase(path, "%2e%2e") &&
+      !StringUtils.containsIgnoreCase(path, ".%2e") &&
+      !StringUtils.containsIgnoreCase(path, "%2e."))
       return path;
     String[] inputSegments = path.split("/");
     Stack<String> outputSegments = new Stack<>();
     for (String inputSegment : inputSegments) {
       if (inputSegment.length() != 0 &&
         !".".equals(inputSegment))
-        if ("..".equals(inputSegment) || StringUtils.equalsIgnoreCase("%2e%2e", inputSegment)) {
+        if ("..".equals(inputSegment) || StringUtils.equalsIgnoreCase("%2e%2e", inputSegment) ||
+          StringUtils.equalsIgnoreCase(".%2e", inputSegment) ||
+          StringUtils.equalsIgnoreCase("%2e.", inputSegment)) {
           if (!outputSegments.isEmpty())
             outputSegments.pop();
         } else {
           outputSegments.push(inputSegment);
         }
     }
     StringBuilder outputBuffer = new StringBuilder();
     for (String outputSegment : outputSegments)
       outputBuffer.append('/').append(outputSegment);
     if (path.lastIndexOf('/') == path.length() - 1)
       outputBuffer.append('/');
     return outputBuffer.toString();
   }

The patch adds two new cases to the existing path traversal protection: .%2e and %2e., both partially encoded forms of .., which is used to reference the parent directory in a path traversal attack.

Rapid7 vulnerability research teams believe that this patching methodology may see further bypasses in the future. Developers should take measures to adequately sanitize user input beyond a case-by-case basis.

Guidance

Rapid7 recommends that HPE IMC customers apply the latest patch (50-node product referenced), which is E0705P07 at the time of this writing. This will ensure that they are protected against all known vulnerabilities to date, not only the ones patched in E0705P02.

Vulnerability Affected versions
CVE-2020-24629 – ZDI-CAN-8943 UrlAccessController Authentication Bypass Vulnerability HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-24630 – ZDI-CAN-8965 operatorOnlineList_content Privilege Escalation Vulnerability HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-24646 – ZDI-CAN-8935 tftpserver Stack-based Buffer Overflow Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-24647 – AccessMgrServlet className Input Validation Code Execution Vulnerability HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-24648 – ZDI-CAN-8928 AccessMgrServlet className Deserialization of Untrusted Data Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-24649 – ByteMessageResource transformEntity” Input Validation Code Execution Vulnerability HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-24650 – ZDI-CAN-8963 legend Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-24651 – ZDI-CAN-8964 SyslogTempletSelectWin Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-24652 – ZDI-CAN-8967 addVsiInterfaceInfo Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-7141 – ZDI-CAN-8968 addDeviceToView Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-7142 – ZDI-CAN-8971 eventInfo_content Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-7143 – ZDI-CAN-8970 faultDevParasSet Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-7144 – ZDI-CAN-8966 compareFilesResult Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7145 – ZDI-CAN-8957 choosePerfView Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7146 – ZDI-CAN-8960 devGroupSelect Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7147 – ZDI-CAN-8961 deploySelectBootrom Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7148 – ZDI-CAN-8962 deploySelectSoftware Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7149 – ZDI-CAN-8981 ictExpertCSVDownload Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7150 – ZDI-CAN-8987 faultStatChooseFaultType Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7151 – ZDI-CAN-8988 faultTrapGroupSelect Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7152 – ZDI-CAN-8985 faultParasSet Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7153 – ZDI-CAN-8980 iccSelectDevType Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7154 – ZDI-CAN-8982 ifViewSelectPage Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7155 – ZDI-CAN-8989 select Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7156 – ZDI-CAN-8986 faultInfo_content Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7157 – ZDI-CAN-8991 selViewNavContent Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7158 – ZDI-CAN-8996 perfSelectTask Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7159 – ZDI-CAN-8959 customTemplateSelect Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7160 – ZDI-CAN-8978 iccSelectDeviceSeries Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7161 – ZDI-CAN-9002 reportTaskSelect Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7162 – ZDI-CAN-8992 operatorGroupSelectContent Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7163 – ZDI-CAN-8998 navigationTo Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7164 – ZDI-CAN-9003 operationSelect Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7165 – ZDI-CAN-8979 iccSelectCommand Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7166 – ZDI-CAN-8993 operatorGroupTreeSelectContent Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7167 – ZDI-CAN-8999 quickTemplateSelect Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7168 – ZDI-CAN-9004 selectUserGroup Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7169 – ZDI-CAN-8994 ictExpertCSVDownload Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7170 – ZDI-CAN-8990 select Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7171 – ZDI-CAN-8995 guiDataDetail Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7172 – ZDI-CAN-9000 templateSelect Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7173 – ZDI-CAN-8958 actionSelectContent Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7174 – ZDI-CAN-9001 soapConfigContent Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7175 – ZDI-CAN-8977 iccSelectDymicParam Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7176 – ZDI-CAN-9015 viewTaskResultDetailFact Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7177 – ZDI-CAN-9012 wmiConfigContent Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7178 – ZDI-CAN-8984 mediaForAction Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7179 – ZDI-CAN-9007 thirdPartyPerfSelectTask Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7180 – ZDI-CAN-8983 ictExpertDownload Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7181 – ZDI-CAN-9008 smsRulesDownload Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7182 – ZDI-CAN-9006 sshConfig Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7183 – ZDI-CAN-9011 forwardredirect Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7184 – ZDI-CAN-9010 viewBatchTaskResultDetailFact Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7185 – ZDI-CAN-9014 tvxlanLegend Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7186 – ZDI-CAN-9009 powershellConfigContent Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7187 – ZDI-CAN-8997 reportpage index Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7188 – ZDI-CAN-9013 userSelectPagingContent Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7189 – ZDI-CAN-8974 faultFlashEventSelectFact Expression Language InjectionRemote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7190 – ZDI-CAN-8973 deviceSelect Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7191 – ZDI-CAN-8972 devSoftSel Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7192 – ZDI-CAN-8969 deviceThresholdConfig Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7193 – ZDI-CAN-8976 ictExpertCSVDownload Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7194 – ZDI-CAN-9005 perfAddorModDeviceMonitor Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7195 – ZDI-CAN-8975 iccSelectRules Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)

References

5
Ratings
Technical Analysis

Analysis performed using tcpip.sys from Windows 10 v1909 x64 (sha256: f2a0cb717ccbe7e7ff93ccadaeb23df4a8a76b386b6623fee1b5a975c3f16bfa)

Overview

A crafted IPv6 Router Advertisement frame can a stack based buffer overflow due to an improper calculation of the RDNSS
(type 25) option. When an RDNSS option uses a crafted length with an even value the parser will interpret the last 8
bytes of it as the start of the next option. When combined with fragmentation, this can cause a overflow due to the size
of the mis-interpreted header not being validated.

Exploitability Analysis

The public PoCs reliably reproduce this vulnerability to trigger a bug check condition. The relevant function is
tcpip!Ipv6pHandleRouterAdvertisement which handles the parsing logic and is the function whose local variable is
overflown. The public PoCs use a Route Information (type 24) option to actually perform the overflow. In this case the
actual overflow is performed by a call to NdisGetDataBuffer at Ipv6pHandleRouterAdvertisement+0xb8a01.

In this call, the third parameter Storage is a pointer to the stack at location rbp+0xb8. From the documentation:

(Storage is) a pointer to a buffer, or NULL if no buffer is provided by the caller. The buffer must be greater than or
equal in size to the number of bytes specified in BytesNeeded . If this value is non-NULL, and the data requested is
not contiguous, NDIS copies the requested data to the area indicated by Storage.

Since Storage is non-NULL, non-contiguous (due to the packet fragmentation), it is used as a destination buffer and
wOptLength bytes are copied to it. In this context, wOptLength is the length of the option in the original data
times 8. With a length of 176 (field value 0x16), the stack cookie at offset rbp+0x260 will be overwritten. As the
function returns, this leads to a Bug Check when the stack cookie is checked at
tcpip!Ipv6pHandleRouterAdvertisement+0x10e0. The value of the stack cookie is also XORed with the value of the stack
pointer (rsp) so knowing the value would not be sufficient to replace it in the overwrite.

After the overflow operation has taken place, the loop continues to process the following options:

  • Type 3 (Prefix Information)
  • Type 24 (Route Information)
  • Type 25 (RDNSS)
  • Type 31 (DNS Search List Option)

(see: http://blog.pi3.com.pl/?p=780)

From the /GS (Buffer Security Check) documentation:

A vulnerable parameter is allocated before the cookie and local variables. A buffer overrun can overwrite these
parameters. And code in the function that uses these parameters could cause an attack before the function returns and
the security check is performed.

After inspecting the logic for each of the four types that will be processed, there were no identified references to
values which could be controlled by an attacker using the overflow. While the handler for the Prefix Information (type
3) option uses a 32 byte buffer which could be controlled by the attacker starting at rbp+0x200, it is memset to
zero at Ipv6pHandleRouterAdvertisement+0xa19.

There are no other references to the space between rbp+0x1b8 (&Storage) and rbp+0x260 (the stack cookie) that are
accessible from this late in the Ipv6pHandleRouterAdvertisement function.

An alternative vector could potentially utilize a Search List (type 31) option to trigger the overflow. This function
makes a similar call to NdisGetDataBuffer with a location on the stack. In this case the attacker can overflow the
buffer starting at rbp+0x90 and overwrite the stack cookie at rbp+0x190. This function is less interesting as there
appear to be no usable references before the return and there is no looping logic due to the handler and overflow being
a subroutine of Ipv6pHandleRouterAdvertisement.

1

This is a great breakdown. Thank you!

2

This is a great breakdown. Thank you!

3
Ratings
Technical Analysis

Pulse Secure’s 2019 vulns are garnering another wave of attention this week as a result of the NSA’s newly published list of CVEs exploited by Chinese state actors. Out of the batch of 2019 disclosures from Orange Tsai’s and Meh Chang’s research, CVE-2019-11510, an pre-authenticated arbitrary file read, was the highest priority for attackers and defenders. The pre-auth file read was a necessary primitive for CVE-2019-11539, a post-authentication vuln that enables attackers to execute commands as root on vulnerable Pulse Secure VPN servers.

Exploit chain: CVE-2020-11510 provides necessary info (plaintext/hashed creds, session IDs) that enables a remote attacker to leverage CVE-2020-11539 to execute commands with the highest privilege level. There’s a Metasploit exploit out that automates the exploit chain, but note that a valid admin session is needed. The original blog from the researchers who disclosed the vulns does a great job of explaining in-depth technical details, too—do check it out if you haven’t done so!

Pulse Secure patched these vulnerabilities in April, 2019. Technical details, public research, and exploits were released over the next six months. There’s been plenty of information available to attackers for quite some time now—I hope organizations have patched given the severity of the bugs and the critical position of SSL VPNs.

4
Ratings
  • Attacker Value
    Very High
Technical Analysis

This is an update based on the assessment provided in the more general topic for the Citrix vulns disclosed in https://support.citrix.com/article/CTX276688 which include this CVE. As API queries to this CVE do not contain this data, reflecting it in this topic.

Link to assessment:
https://attackerkb.com/assessments/50e7e3c5-644c-46ae-b650-1ef45cec22ad

Link to relevant url provided in the assessment:
https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/

Additional link which provides a PoC:
https://github.com/Zeop-CyberSec/citrix_adc_netscaler_lfi

It is also included in the Oct 20 NSA Advisory on vulns exploited by Chinese APTs:
https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF