VERIFIED SOLUTION i

Vulnerability arising from exposed Java RMI port 1099 on EngageOne Server

Products Affected: EngageOne 4.3.0, 4.3.1, 4.3.2, 4.4GA, 4.4SP1, 4.4SP2, 4.4SP3, 4.4SP5, 4.4SP6
Product Feature: Deployment / Configuration
Operating System: All

Issue

A security scan of the EngageOne Server shows port 1099 open.
It could show a result like the following:
HPE Intelligent Management Center (iMC) PLAT Java RMI Registry Deserialization RCE Vulnerability (HPESBHF03815)
QID: 370818 CVSS Base: 7.5
Category: Local CVSS Temporal: 5.9
CVE ID: CVE-2017-5792
Vendor Reference: HPESBHF03815
Bugtraq ID: 96769
Service Modified: 03/26/2018 CVSS3 Base: 9.8
User Modified: - CVSS3 Temporal: 8.8
Edited: No
PCI Vuln: Yes
THREAT:
Scan Results page 5
HPE Intelligent Management Center, or IMC, is a new breed of network management systems, designed to give enterprises the most comprehensive
visibility, efficiency, and agility possible.
A security vulnerability in HPE Intelligent Management Center (iMC) PLAT can be exploited to allow remote code execution. This is an enhanced fix
for ZDI-17-162/CVE-2017-5792.
Affected Versions:
HPE Intelligent Management Center (iMC) IMC PLAT 7.3 E0504P2
HPE Intelligent Management Center (iMC) iMC PLAT 7.2 E0403P06
QID Detection Logic (Unauthenticated):
This QID sends a specially crafted command to the target and waits for the vulnerable response.
IMPACT:
An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM.
SOLUTION:
Please refer to hpesbhf03815en_us (https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03815en_us) for more information
about patching this vulnerability.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
HPESBHF03815 (https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03815en_us)
COMPLIANCE:
Not Applicable
EXPLOITABILITY:
Core Security
Reference: CVE-2017-5792
Description: HPE Intelligent Management Center Java RMI Registry Deserialization Vulnerability Remote Code Execution Exploit - Core
Security Category : Exploits/Remote
The Exploit-DB
Reference: CVE-2017-5792
Description: HPE iMC 7.3 - RMI Java Deserialization - The Exploit-DB Ref : 43927
Link: http://www.exploit-db.com/exploits/43927
Qualys
Reference: CVE-2017-5792
Description: HPE iMC 7.3 Java RMI Registry Deserialization RCE Vulnerability
Link: https://www.exploit-db.com/exploits/43927/
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RESULTS:
HPE Intelligent Management Center (iMC) PLAT Java RMI Registry Deserialization RCE Vulnerability detected over port 1099 over TCP.
-

Cause

The JMX interface is open for connection without a password on port 1099 of the Composition and Notification bundles.

Aside from the scanned vulnerabilities, it is possible to attach remotely to Composition and Notification nodes through JMX. This could allow remote access to all JVM properties of Composition bundle, including unencrypted database user and password. An attacker who successfully exploited these vulnerabilities could later use those credentials to access database server. An attacker could later view, change or delete data, and perform any other actions which are authorized for the EngageOne database user.
 

Resolution

UPDATED: June 12, 2018
A patch is required to ensure the JMX is no longer exposed through TCP connection

Pitney Bowes is releasing patches for to fix this vulnerability for all affected 4.4 versions, as it is deemed too critical to wait for distribution in the next Service Pack release.

Until a patch can be applied, the vulnerability can be significantly mitigated by using a network firewall to block connections to port 1099 on any servers where an EngageOne Composition or Notification bundle is running.

As soon as possible, customers should download and install the patch to close the vulnerability completely.
 
Affected Products and VersionsPatch Download
EngageOne Server 4.4 Service Pack 2http://store.pbinsight.com/promo/4911363200
EngageOne Server 4.4 Service Pack 3http://store.pbinsight.com/promo/4911363100
EngageOne Server 4.4 Service Pack 4http://store.pbinsight.com/promo/4911363000
EngageOne Server 4.4 Service Pack 5http://store.pbinsight.com/promo/4911362900
EngageOne Server 4.4 Service Pack 6http://store.pbinsight.com/promo/4911362800