cbcvebase.
CVE-2017-5799
published 2018-02-15

CVE-2017-5799: A Remote Code Execution vulnerability in HPE OpenCall Media Platform (OCMP) was found. The vulnerability impacts OCMP versions prior to 3.4.2 RP201 (for OCMP…

PriorityP270high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
15.51%
96.4th percentile
A Remote Code Execution vulnerability in HPE OpenCall Media Platform (OCMP) was found. The vulnerability impacts OCMP versions prior to 3.4.2 RP201 (for OCMP 3.x), all versions prior to 4.4.7 RP702 (for OCMP 4.x).

Affected

3 ranges
VendorProductVersion rangeFixed in
hewlett_packard_enterpriseopencall_media_platform
hpopencall_media_platform>= 3.0.0 < 3.4.23.4.2
hpopencall_media_platform>= 4.0.0 < 4.4.74.4.7

Detection & IOCsextracted from sources · hover to see the quote

url/mcm/resources/dummy_test/dummy/test?followindirection=false
url/mcm/resources/dummy_test/dummy/test?format=json&followindirection=false&ms=1443024815924
path/mcm/resources/
url/om/call.do?action=list_calls&type=Active637a3alert(1)c7e9f
path/om/call.do
url/om/event.do?action=list&type=Active637a3alert(1)c7e9f
path/om/event.do
path/om/proxylink.do
port8443
port5443
  • Detect GET requests to /om/call.do with unsanitised 'type' parameter values (e.g. containing script tags or alert payloads) as XSS exploitation attempts.
  • Detect GET requests to /om/event.do with unsanitised 'type' parameter values as XSS exploitation attempts.
  • Detect GET requests to /om/proxylink.do with a 'url' parameter pointing to external/remote hosts as Remote File Inclusion (RFI) exploitation attempts leading to RCE.
  • Monitor for requests to GetMapAction function with parameters LEV_TYPE0–3, LEV_NAME0–3, LEV_NUM, and NAME containing script payloads in the Platform Administration Tool.
  • Monitor for requests to cdrdispatch function with 'next' and 'sessionType' parameters containing script payloads in the Platform Administration Tool.
  • Content-Type header 'application/mcm+json' in POST requests to /mcm/resources/ paths is specific to OCMP and can be used as a filter anchor for detecting exploitation attempts.
  • ·The RFI vulnerability via /om/proxylink.do requires the OCMP server to be able to reach attacker-controlled external URLs; network egress controls from the OCMP host can limit RCE impact.
  • ·The XSS-to-RCE chain specifically targets the Platform Administration Tool; exploitation requires a victim administrator to be authenticated and interact with the attacker-crafted link.
  • ·Affected versions are OCMP prior to 3.4.2 RP201 (3.x branch) and all versions prior to 4.4.7 RP702 (4.x branch); the PoC was demonstrated on version 4.3.2.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.