Remote code execution in HPE Intelligent Management Center PLAT
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2017-8962 CVE-2017-8963 CVE-2017-8964 CVE-2017-8965 CVE-2017-8966 CVE-2017-8967 |
| CWE-ID | CWE-502 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
HPE iMC PLAT Hardware solutions / Routers & switches, VoIP, GSM, etc |
| Vendor | HPE |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Deserialization of untrusted data
EUVDB-ID: #VU8971
Risk: High
CVSSv4.0: 5.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-8962
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.
The weakness exists in HPE Intelligent Management Center (iMC) PLAT due to deserialization of untrusted data. A remote attacker can supply a specially crafted input and execute arbitrary code with elevated privileges.
Install update from vendor's website (iMC PLAT 7.3 E0506P03).
Vulnerable software versionsHPE iMC PLAT: 7.3 E0504P2
CPE2.3 External linkshttps://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03787en_us
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Deserialization of untrusted data
EUVDB-ID: #VU8972
Risk: High
CVSSv4.0: 5.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-8963
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.
The weakness exists in HPE Intelligent Management Center (iMC) PLAT due to deserialization of untrusted data. A remote attacker can supply a specially crafted data and execute arbitrary code with elevated privileges.
Install update from vendor's website (iMC PLAT 7.3 E0506P03).
Vulnerable software versionsHPE iMC PLAT: 7.3 E0504P2
CPE2.3 External linkshttps://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03787en_us
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Deserialization of untrusted data
EUVDB-ID: #VU8973
Risk: High
CVSSv4.0: 5.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-8964
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.
The weakness exists in HPE Intelligent Management Center (iMC) PLAT due to deserialization of untrusted data. A remote attacker can supply a specially crafted input and execute arbitrary code with elevated privileges.
Install update from vendor's website (iMC PLAT 7.3 E0506P03).
Vulnerable software versionsHPE iMC PLAT: 7.3 E0504P2
CPE2.3 External linkshttps://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03787en_us
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Deserialization of untrusted data
EUVDB-ID: #VU8974
Risk: High
CVSSv4.0: 5.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-8965
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.
The weakness exists in HPE Intelligent Management Center (iMC) PLAT due to deserialization of untrusted data. A remote attacker can supply a specially crafted input and execute arbitrary code with elevated privileges.
Install update from vendor's website (iMC PLAT 7.3 E0506P03).
Vulnerable software versionsHPE iMC PLAT: 7.3 E0504P2
CPE2.3 External linkshttps://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03787en_us
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Deserialization of untrusted data
EUVDB-ID: #VU8975
Risk: High
CVSSv4.0: 5.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-8966
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.
The weakness exists in HPE Intelligent Management Center (iMC) PLAT due to deserialization of untrusted data. A remote attacker can supply a specially crafted input and execute arbitrary code with elevated privileges.
Install update from vendor's website (iMC PLAT 7.3 E0506P03).
Vulnerable software versionsHPE iMC PLAT: 7.3 E0504P2
CPE2.3 External linkshttps://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03787en_us
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Deserialization of untrusted data
EUVDB-ID: #VU8976
Risk: High
CVSSv4.0: 5.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-8967
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.
The weakness exists in HPE Intelligent Management Center (iMC) PLAT due to deserialization of untrusted data. A remote attacker can supply a specially crafted input and execute arbitrary code with elevated privileges.
Install update from vendor's website (iMC PLAT 7.3 E0506P03).
Vulnerable software versionsHPE iMC PLAT: 7.3 E0504P2
CPE2.3 External linkshttps://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03787en_us
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
