CVE-2016-8523
published 2018-02-15CVE-2016-8523: A Remote Arbitrary Code Execution vulnerability in HPE Smart Storage Administrator version before v2.60.18.0 was found.
PriorityP266high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
17.04%
96.7th percentile
A Remote Arbitrary Code Execution vulnerability in HPE Smart Storage Administrator version before v2.60.18.0 was found.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hewlett_packard_enterprise | smart_storage_administrator | — | — |
| hp | smart_storage_administrator | < 2.60.18.0 | 2.60.18.0 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 2381 (msg:"ET EXPLOIT HP Smart Storage Administrator Remote Command Injection"; flow:established,to_server; content:"echo -n|20|"; pcre:"/^\s*(?:f0VMR|9FTE|\/RUxG)/R"; reference:cve,2016-8523; classtype:attempted-user; sid:2024063; rev:3; metadata:affected_product HP_Smart_Storage_Administrator, attack_target Server, created_at 2017_03_15, cve CVE_2016_8523, deployment Datacenter, performance_impact Low, confidence High, signature_severity Critical, updated_at 2024_03_07, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
- →Detection should look for the `echo -n` string in the payload body on TCP/2381, combined with base64-encoded ELF/PE magic bytes matching the PCRE pattern `(?:f0VMR|9FTE|\/RUxG)` — indicative of a staged payload delivery via the command injection
- →Anonymous (unauthenticated) access to the vulnerable endpoint is possible; authentication is optional in the exploit module ↗
- →The response header `CpqElm-Login: success` indicates successful authentication to the HP SSA service; monitor for this header in network traffic as a precursor to exploitation ↗
- ·The exploit uses SSL (HTTPS) by default on port 2381; network inspection requires SSL/TLS interception to detect payload content ↗
- ·The Windows CmdStager flavor uses `certutil` for payload staging, which may evade detections focused solely on Linux/bourne stager patterns ↗
- ·The Snort rule (sid:2024063) targets the Linux stager payload pattern; Windows certutil-based stagers will not match this rule and require separate detection logic
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT HP Smart Storage Administrator Remote Command Injection
suricata·2017-03-15
CVE-2016-8523 ET EXPLOIT HP Smart Storage Administrator Remote Command Injection
ET EXPLOIT HP Smart Storage Administrator Remote Command Injection
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 2381 (msg:"ET EXPLOIT HP Smart Storage Administrator Remote Command Injection"; flow:established,to_server; content:"echo -n|20|"; pcre:"/^\s*(?:f0VMR|9FTE|\/RUxG)/R"; reference:cve,2016-8523; classtype:attempted-user; sid:2024063; rev:3; metadata:affected_product HP_Smart_Storage_Administrator, attack_target Server, created_at 2017_03_15, cve CVE_2016_8523, deployment Datacenter, performance_impact Low, confidence High, signature_severity Critical, updated_at 2024_03_07, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
No writeups or analysis indexed.
http://www.securityfocus.com/bid/95868https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c05382349https://www.exploit-db.com/exploits/41297/http://www.securityfocus.com/bid/95868https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c05382349https://www.exploit-db.com/exploits/41297/
2018-02-15
Published