cbcvebase.
CVE-2017-5815
published 2018-02-15

CVE-2017-5815: A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P04 was found.

PriorityP178critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
34.24%
98.2th percentile
A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P04 was found.

Affected

3 ranges
VendorProductVersion rangeFixed in
hewlett_packard_enterpriseintelligent_management_center_plat
hpintelligent_management_center< 7.37.3
hpintelligent_management_center

Detection & IOCsextracted from sources · hover to see the quote

portUDP/514
processimcsyslogdm
hash8b06adbd3d47a372358d9106e659d9b2
commandSYSLOG_FORWARD_HEAD + 'A'*48 + first_stage + '\0'
bytes
Forwarded From:
bytes
Quidview
  • Monitor for oversized UDP packets to port 514 on iMC hosts where the payload begins with 'Forwarded From:' but lacks 'Quidview', especially with payloads exceeding 48 bytes after the marker.
  • The imcsyslogdm process file descriptor 27 (occasionally 28) bound to UDP/65535 is reused by the exploit for second-stage payload delivery; anomalous UDP traffic to port 65535 on iMC hosts should be investigated.
  • ·ROP gadget addresses and BSS offsets are specific to iMC 7.2 E0403P10 (imcsyslogdm MD5: 8b06adbd3d47a372358d9106e659d9b2); they will differ on other versions including the patched 7.3 E0504P04.
  • ·The command executed via system() is limited to approximately 470 bytes in this exploit implementation.
  • ·After exploitation, the syslog message handling thread enters an infinite loop, breaking the syslog forwarding function of imcsyslogdm.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.