cbcvebase.
CVE-2014-2623
published 2014-07-18

CVE-2014-2623: Unspecified vulnerability in HP Storage Data Protector 8.x allows remote attackers to execute arbitrary code via unknown vectors.

PriorityP182critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
89.39%
99.8th percentile
Unspecified vulnerability in HP Storage Data Protector 8.x allows remote attackers to execute arbitrary code via unknown vectors.

Affected

5 ranges
VendorProductVersion rangeFixed in
hpdata_protector>= 7.0 < 7.03_1087.03_108
hpdata_protector>= 8.0 < 8.158.15
hpdata_protector>= 9.0 < 9.069.06
hpstorage_data_protector
hpstorage_data_protector

Detection & IOCsextracted from sources · hover to see the quote

port5555
port5555
commandopcode 28 / \perl.exe -esystem('<cmd>')
bytes
00000034320001010101010100010001000100010100203238005c7065726c2e65786500202d6573797374656d282777686f616d69272900
bytes
00000034fffe3900000020006e007400200061007500740068006f0072006900740079005c00730079007300740065006d000a0000000000
bytes
\x00\x00\x00\x48\xff\xfe\x32\x00\x36\x00\x37\x00\x00\x00\x20\x00\x31\x00\x30\x00\x00\x00\x20\x00\x31\x00\x30\x00\x30\x00\x00\x00\x20\x00\x39\x00\x30\x00\x30\x00\x00\x00\x20\x00\x38\x00\x38\x00\x00\x00\x20\x00\x6f\x00\x6d\x00\x6e\x00\x69\x00\x64\x00\x6c\x00\x63\x00\x00\x00\x20\x00\x34\x00\x00\x00\x00\x00
  • Detect exploit attempts by monitoring for TCP connections to port 5555 (OmniInet service) containing the opcode 28 pattern followed by '\perl.exe' and '-esystem(' strings in the payload.
  • Alert on TCP/5555 payloads containing the hex sequence '32 00 01 01 01 01 01 01 00 01 00 01 00 01 00 01 01 00 20 32 38 00 5c 70 65 72 6c 2e 65 78 65 00 20 2d 65 73 79 73 74 65 6d' which encodes the opcode-28/perl.exe/-esystem exploit pattern.
  • Detect spawning of cmd.exe or rundll32.exe as a child process of the OmniInet service (omniinet.exe) on Windows, which indicates successful command execution via this vulnerability.
  • Watch for outbound SMB connections from the Data Protector host to attacker-controlled servers immediately after inbound connections on TCP/5555, as the Metasploit module uses a fake SMB server to deliver the DLL payload via rundll32.exe.
  • ·CVE-2016-2004 exists because the patch for CVE-2014-2623 was incomplete; systems patched only for CVE-2014-2623 (versions before 7.03_108, 8.x before 8.15, 9.x before 9.06) remain exploitable.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.