A vulnerability was found in HPE Intelligent Management Center up to 7.3 E0506 (Log Management Software). It has been declared as critical. Affected by this vulnerability is an unknown code block. The manipulation with an unknown input leads to a code injection vulnerability. The CWE definition for the vulnerability is CWE-94. The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

A remote code execution vulnerability was identified in HPE Intelligent Management Center (iMC) Wireless Service Manager (WSM) Software earlier than version WSM 7.3 (E0506). This issue was resolved in HPE IMC Wireless Services Manager Software IMC WSM 7.3 E0506P01 or subsequent version.

The bug was discovered 05/25/2018. The weakness was shared 08/06/2018 (Website). It is possible to read the advisory at support.hpe.com. This vulnerability is known as CVE-2017-8990 since 05/15/2017. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1059 according to MITRE ATT&CK.

The vulnerability was handled as a non-public zero-day exploit for at least 73 days. During that time the estimated underground price was around $5k-$25k.

Upgrading to version 7.3 E0506P01 eliminates this vulnerability.

Productinfo

Type

• Log Management Software

Vendor

• HPE

Name

• Intelligent Management Center

License

• commercial

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion