cbcvebase.
CVE-2016-9796
published 2016-12-03

CVE-2016-9796: Alcatel-Lucent OmniVista 8770 2.0 through 3.0 exposes different ORBs interfaces, which can be queried using the GIOP protocol on TCP port 30024. An attacker…

PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
13.36%
95.9th percentile
Alcatel-Lucent OmniVista 8770 2.0 through 3.0 exposes different ORBs interfaces, which can be queried using the GIOP protocol on TCP port 30024. An attacker can bypass authentication, and OmniVista invokes methods (AddJobSet, AddJob, and ExecuteNow) that can be used to run arbitrary commands on the server, with the privilege of NT AUTHORITY\SYSTEM on the server. NOTE: The discoverer states "The vendor position is to refer to the technical guidelines of the product security deployment to mitigate this issue, which means applying proper firewall rules to prevent unauthorised clients to connect to the OmniVista server."

Affected

3 ranges
VendorProductVersion rangeFixed in
alcatel-lucentomnivista_8770_network_management_system
alcatel-lucentomnivista_8770_network_management_system
alcatel-lucentomnivista_8770_network_management_system

Detection & IOCsextracted from sources · hover to see the quote

port30024
commandAddJobSet
commandAddJob
commandExecuteNow
pathC:\Windows\System32\cmd.exe
pathC:\Windows\SysWOW64\cmd.exe
bytes
47494f50010000000000012600000000
bytes
47494f50010000000000003100000000
bytes
47494f5001000000
bytes
47494f50010000000000003500000000000001100100000000000010
  • Monitor for unauthenticated GIOP/CORBA TCP connections to port 30024 on OmniVista 8770 servers; any external connection to this port should be treated as suspicious.
  • Detect GIOP request packets invoking the SchedulerInterface object with methods AddJobSet, AddJob, or ExecuteNow — the exploit encodes the string '5363686564756c6572496e74657266616365' (SchedulerInterface) in the GIOP payload.
  • Look for GIOP magic bytes 'GIOP' (0x47494f50) on TCP port 30024 followed by method name strings AddJobSet, AddJob, Active, ExecuteNow, Cancel, or DeleteJobSet as network-level indicators of exploitation.
  • Alert on processes spawned as NT AUTHORITY\SYSTEM by the OmniVista service, particularly cmd.exe or powershell.exe with suspicious arguments such as '-nop -w hidden' or IEX/downloadstring patterns.
  • The exploit uses nbtscan to resolve the target NetBIOS name before sending GIOP packets; detect nbtscan reconnaissance activity against OmniVista server hosts as a precursor indicator.
  • The exploit embeds a crafted username string 'xxx.y.zzzzz,cn=Administrators,cn=8770 administration,o=nmc' in the GIOP AddJobSet payload; presence of this DN pattern in network traffic is a strong exploit indicator.
  • ·The vendor does not patch this vulnerability but instead recommends applying firewall rules to block unauthorized clients from reaching the OmniVista server on TCP port 30024.
  • ·The exploit targets OmniVista 8770 versions 2.0, 2.6, and 3.0 running on Windows Server; the cmd.exe path differs between 32-bit and 64-bit installations, affecting payload construction.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.