cbcvebase.
CVE-2019-5390
published 2019-06-05

CVE-2019-5390: A remote command injection vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
4.36%
90.0th percentile
A remote command injection vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

Affected

2 ranges
VendorProductVersion rangeFixed in
hpintelligent_management_center< 7.37.3
hpintelligent_management_center

Detection & IOCsextracted from sources · hover to see the quote

port2810
commandecho -ne '\xff\xff\xff\x00' | nc 2810
processdbman.exe
processimcsysdm.exe
bytes
\xff\xff\xff\x00
  • Detect large allocation-size DoS attempts against dbman on port 2810: look for 4-byte payloads beginning with 0xFFFFFF sent to TCP port 2810
  • Monitor for command 10018 (dbman.conf variable injection) sent to dbman, especially setting BackHoseIp, BackupTime, or BackupTimeMinute variables, which are precursor steps to the stack buffer overflow and command injection exploit chain
  • Alert on unexpected termination and restart of dbman.exe under imcsysdm.exe, which may indicate the attacker-induced DoS step used to force a dbman restart with a poisoned dbman.conf
  • Look for stack buffer overrun indicators in dbman.exe crash dumps: EIP/return address overwritten with 0x41414141 pattern is a sign of active exploitation
  • ·HPE iMC 7.3 E0703 only partially patched CVE-2019-5390: it enforces encryption for commands 10000 and 10002 but leaves command 10018 unencrypted, meaning the configuration injection step of the exploit chain remains unauthenticated and unencrypted in that version
  • ·The root cause of CVE-2019-5390 was not addressed in 7.3 E0703; the attacker can bypass the encryption requirement by using the DoS vulnerability to force a dbman restart, which re-triggers the stack overflow from the already-injected dbman.conf

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.