cbcvebase.
CVE-2017-8982
published 2018-02-15

CVE-2017-8982: A Remote Authentication Restriction Bypass vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P4 was found.

PriorityP264high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
14.48%
96.2th percentile
A Remote Authentication Restriction Bypass vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P4 was found.

Affected

2 ranges
VendorProductVersion rangeFixed in
hewlett_packard_enterpriseintelligent_management_center_plat
hpintelligent_management_center

Detection & IOCsextracted from sources · hover to see the quote

url/imc/login.jsf
port8080
port8443
commandfacesContext.getExternalContext().redirect("".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval("var proc=new java.lang.ProcessBuilder[\"(java.lang.String[])\"]([\"cmd.exe\",\"/c\",\"<CMD>\")).start();"))
  • Successful exploitation results in an HTTP 302 redirect response from the beanName injection endpoint; absence of 302 indicates failed injection.
  • Monitor for unauthenticated GET requests to /imc/login.jsf returning HTTP 200 as a pre-exploitation reconnaissance step used by the Metasploit module's check() function.
  • The exploit spawns cmd.exe /c as SYSTEM via Java ProcessBuilder through JavaScript ScriptEngine; monitor for iMC service processes spawning cmd.exe child processes.
  • The default Metasploit payload used is cmd/windows/reverse_powershell; monitor for outbound PowerShell reverse shell connections originating from the iMC server process on ports 8080/8443.
  • ·The exploit targets iMC PLAT versions prior to 7.3 E0504P04; the tested vulnerable version is E0504P02. Detections should be scoped to environments running iMC PLAT 7.3 E0504P02 or earlier on Windows.
  • ·The service listens on both TCP 8080 (HTTP) and 8443 (HTTPS) by default; network detection rules must cover both ports.
  • ·This exploit chains two CVEs: CVE-2017-8982 (authentication restriction bypass) and CVE-2017-12500 (EL injection). Detection of the beanName EL injection alone may not be sufficient without also accounting for the auth bypass path traversal component.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.