CVE-2013-4810
published 2013-09-16CVE-2013-4810: HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management allow remote attackers to…
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
79.00%
99.5th percentile
HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management allow remote attackers to execute arbitrary code via a marshalled object to (1) EJBInvokerServlet or (2) JMXInvokerServlet, aka ZDI-CAN-1760. NOTE: this is probably a duplicate of CVE-2007-1036, CVE-2010-0738, and/or CVE-2012-0874.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | procurve_manager | — | — |
| hp | procurve_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherContentType: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation↗
- →Alert on HTTP requests with User-Agent 'Java/1.6.0_21' POSTing to invoker servlet paths, as this is the hardcoded agent in the public exploit. ↗
- →Monitor for GET requests to /a/pwn.jsp with a 'cmd' query parameter, indicating successful WAR deployment and webshell access following exploitation. ↗
- →The exploit deploys a WAR file from a remote URL; monitor outbound HTTP connections from the JBoss/PCM server to external hosts fetching .war files shortly after an invoker servlet POST. ↗
- →CVE-2013-4810 specifically targets unauthenticated exposure of JMXInvokerServlet and EJBInvokerServlet; verify these endpoints require authentication and block unauthenticated access at the network perimeter. ↗
- ·All supported Red Hat JBoss products apply authentication to JMXInvokerServlet and EJBInvokerServlet by default and are NOT affected; only older unsupported community releases of JBoss AS (WildFly) 4.x and 5.x are vulnerable. ↗
- ·JBoss AS (WildFly) 7.x community releases are also not affected by this issue. ↗
- ·This CVE is likely a duplicate of earlier issues CVE-2007-1036, CVE-2010-0738, and/or CVE-2012-0874 covering the same unauthenticated invoker servlet attack surface. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
HP Multiple Products Remote Code Execution Vulnerability
cisa·2022-03-25·CVSS 9.8
CVE-2013-4810 [CRITICAL] CWE-94 HP Multiple Products Remote Code Execution Vulnerability
Vulnerability: HP Multiple Products Remote Code Execution Vulnerability
Affected: Hewlett Packard (HP) ProCurve Manager (PCM), PCM+, Identity Driven Manager (IDM), and Application Lifecycle Management
HP ProCurve Manager (PCM), PCM+, Identity Driven Manager (IDM), and Application Lifecycle Management allow remote attackers to execute arbitrary code via a marshalled object to (1) EJBInvokerServlet or (2) JMXInvokerServlet.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-4810
Remediation Due Date: 2022-04-15
GHSA
GHSA-mm58-72w4-25hp: HP ProCurve Manager (PCM) 3
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2013-4810 [HIGH] CWE-94 GHSA-mm58-72w4-25hp: HP ProCurve Manager (PCM) 3
HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management allow remote attackers to execute arbitrary code via a marshalled object to (1) EJBInvokerServlet or (2) JMXInvokerServlet, aka ZDI-CAN-1760. NOTE: this is probably a duplicate of CVE-2007-1036, CVE-2010-0738, and/or CVE-2012-0874.
VulnCheck
HP Multiple Products Remote Code Execution Vulnerability
vulncheck·2013·CVSS 9.8
CVE-2013-4810 [CRITICAL] CWE-94 HP Multiple Products Remote Code Execution Vulnerability
HP Multiple Products Remote Code Execution Vulnerability
HP ProCurve Manager (PCM), PCM+, Identity Driven Manager (IDM), and Application Lifecycle Management allow remote attackers to execute arbitrary code via a marshalled object to (1) EJBInvokerServlet or (2) JMXInvokerServlet.
Affected: Hewlett Packard (HP) ProCurve Manager (PCM), PCM+, Identity Driven Manager (IDM), and Application Lifecycle Management
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://nsarchive.gwu.edu/sites/default/files/documents/5986978/National-Security-Archive-Department-of-Justice.pdf; https://www.lacework.com/blog/elf-of-the-month-new-lucky-ransomware-sample/; https://web.archive.org/web/20220227045141/https://risksense.com/wp-cont
No detection rules found.
http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?docId=emr_na-c03897409http://marc.info/?l=bugtraq&m=138696448823753&w=2http://marc.info/?l=bugtraq&m=143039425503668&w=2http://secunia.com/advisories/54788http://www.securitytracker.com/id/1029010http://zerodayinitiative.com/advisories/ZDI-13-229/https://www.exploit-db.com/exploits/28713/http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?docId=emr_na-c03897409http://marc.info/?l=bugtraq&m=138696448823753&w=2http://marc.info/?l=bugtraq&m=143039425503668&w=2http://secunia.com/advisories/54788http://www.securitytracker.com/id/1029010http://zerodayinitiative.com/advisories/ZDI-13-229/https://www.exploit-db.com/exploits/28713/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-4810
2013-09-16
Published
2022-03-25
Added to CISA KEV
Exploited in the wild