CVE-2020-11853
published 2020-10-22CVE-2020-11853: Arbitrary code execution vulnerability affecting multiple Micro Focus products. 1.) Operation Bridge Manager affecting version: 2020.05, 2019.11, 2019.05…
PriorityP181high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
76.99%
99.5th percentile
Arbitrary code execution vulnerability affecting multiple Micro Focus products. 1.) Operation Bridge Manager affecting version: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, versions 10.6x and 10.1x and older versions. 2.) Application Performance Management affecting versions : 9.51, 9.50 and 9.40 with uCMDB 10.33 CUP 3 3.) Data Center Automation affected version 2019.11 4.) Operations Bridge (containerized) affecting versions: 2019.11, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05, 2018.02, 2017.11 5.) Universal CMDB affecting version: 2020.05, 2019.11, 2019.05, 2019.02, 2018.11, 2018.08, 2018.05, 11, 10.33, 10.32, 10.31, 10.30 6.) Hybrid Cloud Management affecting version 2020.05 7.) Service Management Automation affecting version 2020.5 and 2020.02. The vulnerability could allow to execute arbitrary code.
Affected
69 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | universal_cmbd_foundation | — | — |
| hp | universal_cmbd_foundation | — | — |
| hp | universal_cmbd_foundation | — | — |
| hp | universal_cmbd_foundation | — | — |
| hp | universal_cmbd_foundation | — | — |
| hp | universal_cmbd_foundation | — | — |
| hp | universal_cmbd_foundation | — | — |
| hp | universal_cmbd_foundation | — | — |
| hp | universal_cmbd_foundation | — | — |
| hp | universal_cmbd_foundation | — | — |
| hp | universal_cmbd_foundation | — | — |
| hp | universal_cmbd_foundation | — | — |
| hp | universal_cmbd_foundation | — | — |
| micro_focus | application_performance_management | — | — |
| micro_focus | application_performance_management | — | — |
| micro_focus | application_performance_management | — | — |
| micro_focus | data_center_automation | — | — |
| micro_focus | hybrid_cloud_management | 2018.05 – 2020.05 | — |
| micro_focus | operation_bridge_manager | — | — |
| micro_focus | operation_bridge_manager | — | — |
| micro_focus | operation_bridge_manager | — | — |
| micro_focus | operation_bridge_manager | — | — |
| micro_focus | operation_bridge_manager | — | — |
| micro_focus | operation_bridge_manager | unspecified – 10.63 | — |
| micro_focus | operations_bridge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect successful authentication by monitoring for 'LWSSO_COOKIE_KEY' in HTTP response headers from UCMDB endpoints, which indicates a session was established and may precede RCE exploitation. ↗
- →Detect reconnaissance/fingerprinting of vulnerable UCMDB instances by monitoring GET requests to /ucmdb-api/connect returning HTTP 200 with body containing both 'HttpUcmdbServiceProviderFactoryImpl' and 'ServerVersion=11.6.0'. ↗
- →The exploit chain involves two steps: (1) authentication using hardcoded 'diagnostics'/'admin' credentials, followed by (2) Java deserialization RCE using ysoserial CommonsBeanutils1 payload. Monitor for deserialization payloads in authenticated HTTP requests to UCMDB endpoints. ↗
- →For the authenticated RCE variant (CVE-2020-11853), any valid low-privileged user's LWSSO_COOKIE_KEY session cookie can be used to trigger the Java deserialization. Monitor for anomalous deserialization payloads in requests from low-privileged accounts. ↗
- ·The unauthenticated RCE module targets UCMDB included in Operations Bridge Manager 2020.05 and below, but may also work against Operations Bridge Manager (containerized) and Application Performance Management — test scope accordingly. ↗
- ·The authenticated RCE module was only tested on Operations Bridge Manager despite the vulnerability affecting multiple Micro Focus products (OBM, APM, DCA, UCMDB, HCM, SMA). ↗
- ·Both Windows and Linux installations are vulnerable to the unauthenticated deserialization exploit chain. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Metasploit
Micro Focus UCMDB Java Deserialization Unauthenticated Remote Code Execution
metasploit
Micro Focus UCMDB Java Deserialization Unauthenticated Remote Code Execution
Micro Focus UCMDB Java Deserialization Unauthenticated Remote Code Execution
This module exploits two vulnerabilities, that when chained allow an attacker to achieve unauthenticated remote code execution in Micro Focus UCMDB. UCMDB included in versions 2020.05 and below of Operations Bridge Manager are affected, but this module can probably also be used to exploit Operations Bridge Manager (containerized) and Application Performance Management. Check the advisory and module documentation for details. The first vulnerability is a hardcoded password for the "diagnostics" user, which allows us to login to UCMDB. The second vulnerability is a run-of-the-mill Java deserialization, which can be exploited with ysoserial's CommonsBeanutils1 payload. Both Windows and Linux installations are vulner
Nuclei
Micro Focus Checks
nuclei·CVSS 8.8
CVE-2020-11853 [HIGH] Micro Focus Checks
Micro Focus Checks
A simple workflow that runs all Micro Focus related nuclei templates on a given target.
Template:
id: micro-focus-workflow
info:
name: Micro Focus Checks
author: dwisiswant0
description: A simple workflow that runs all Micro Focus related nuclei templates on a given target.
workflows:
- template: http/default-logins/UCMDB/
- template: http/cves/2020/CVE-2020-11853.yaml
- template: http/cves/2020/CVE-2020-11854.yaml
Nuclei
Micro Focus Universal CMDB Default Login
nuclei·CVSS 8.8
CVE-2020-11853 [HIGH] Micro Focus Universal CMDB Default Login
Micro Focus Universal CMDB Default Login
Micro Focus Universal CMDB default login credentials were discovered for diagnostics/admin. Note there is potential for this to be chained together with other vulnerabilities as with CVE-2020-11853 and CVE-2020-11854.
Template:
id: ucmdb-default-login
info:
name: Micro Focus Universal CMDB Default Login
author: dwisiswant0
severity: high
description: Micro Focus Universal CMDB default login credentials were discovered for diagnostics/admin. Note there is potential for this to be chained together with other vulnerabilities as with CVE-2020-11853 and CVE-2020-11854.
reference:
- https://packetstormsecurity.com/files/161182/Micro-Focus-UCMDB-Remote-Code-Execution.htm
classification:
cwe-id: CWE-798
metadata:
max-request: 1
tags: ucmdb,default-login
Metasploit
Micro Focus Operations Bridge Manager Authenticated Remote Code Execution
metasploit
Micro Focus Operations Bridge Manager Authenticated Remote Code Execution
Micro Focus Operations Bridge Manager Authenticated Remote Code Execution
This module exploits an authenticated Java deserialization that affects a truckload of Micro Focus products: Operations Bridge Manager, Application Performance Management, Data Center Automation, Universal CMDB, Hybrid Cloud Management and Service Management Automation. However this module was only tested on Operations Bridge Manager. Exploiting this vulnerability will result in remote code execution as the root user on Linux or the SYSTEM user on Windows. Authentication is required, the module user needs to login to the application and obtain the authenticated LWSSO_COOKIE_KEY, which should be fed to the module. Any authenticated user can exploit this vulnerability, even the lowest privileged ones. For more informa
Nuclei
Micro Focus Operations Bridge Manager <=2020.05 - Remote Code Execution
nuclei·CVSS 8.8
CVE-2020-11853 [HIGH] Micro Focus Operations Bridge Manager <=2020.05 - Remote Code Execution
Micro Focus Operations Bridge Manager <=2020.05 - Remote Code Execution
Micro Focus Operations Bridge Manager in versions 2020.05 and below is vulnerable to remote code execution via UCMDB. The vulnerability allows remote attackers to execute arbitrary code on affected installations of Data Center Automation. An attack requires network access and authentication as a valid application user. Originated from Metasploit module (#14654).
Template:
id: CVE-2020-11853
info:
name: Micro Focus Operations Bridge Manager <=2020.05 - Remote Code Execution
author: dwisiswant0
severity: high
description: |
Micro Focus Operations Bridge Manager in versions 2020.05 and below is vulnerable to remote code execution via UCMDB. The vulnerability allows remote attackers to execute arbitrary code on affecte
No writeups or analysis indexed.
http://packetstormsecurity.com/files/161182/Micro-Focus-UCMDB-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/161366/Micro-Focus-Operations-Bridge-Manager-Remote-Code-Execution.htmlhttps://softwaresupport.softwaregrp.com/doc/KM03747657https://softwaresupport.softwaregrp.com/doc/KM03747658https://softwaresupport.softwaregrp.com/doc/KM03747854https://softwaresupport.softwaregrp.com/doc/KM03747948https://softwaresupport.softwaregrp.com/doc/KM03747949https://softwaresupport.softwaregrp.com/doc/KM03747950https://softwaresupport.softwaregrp.com/doc/KM03749879http://packetstormsecurity.com/files/161182/Micro-Focus-UCMDB-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/161366/Micro-Focus-Operations-Bridge-Manager-Remote-Code-Execution.htmlhttps://softwaresupport.softwaregrp.com/doc/KM03747657https://softwaresupport.softwaregrp.com/doc/KM03747658https://softwaresupport.softwaregrp.com/doc/KM03747854https://softwaresupport.softwaregrp.com/doc/KM03747948https://softwaresupport.softwaregrp.com/doc/KM03747949https://softwaresupport.softwaregrp.com/doc/KM03747950https://softwaresupport.softwaregrp.com/doc/KM03749879
2020-10-22
Published