Sign-up

ID

VAR-201808-0666


CVE

CVE-2017-8990


TITLE

HPE Intelligent Management Center Wireless Service Manager Vulnerability in software

Trust: 0.8

sources: JVNDB: JVNDB-2017-014165

DESCRIPTION

A remote code execution vulnerability was identified in HPE Intelligent Management Center (iMC) Wireless Service Manager (WSM) Software earlier than version WSM 7.3 (E0506). This issue was resolved in HPE IMC Wireless Services Manager Software IMC WSM 7.3 E0506P01 or subsequent version. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of the strMac parameter provided to the macToByte method. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. The solution provides network-wide visibility for comprehensive management of resources, services and users. Wireless Service Manager (WSM) Software is one of the wireless service management software. The vulnerability stems from the fact that the program does not verify the length of the data submitted by the user, causing the size of the copied data to exceed the fixed-length buffer space based on the stack

Trust: 2.34

sources: NVD: CVE-2017-8990 // JVNDB: JVNDB-2017-014165 // ZDI: ZDI-18-777 // VULHUB: VHN-117193

AFFECTED PRODUCTS

vendor:hpmodel:imc wireless service managerscope:eqversion:7.3

Trust: 1.6

vendor:hpmodel:imc wireless service managerscope:ltversion:7.3

Trust: 1.0

vendor:hewlett packardmodel:hpe intelligent management center wireless service managerscope:ltversion:7.3 (e0506)

Trust: 0.8

vendor:hewlett packardmodel:intelligent management centerscope: - version: -

Trust: 0.7

sources: ZDI: ZDI-18-777 // JVNDB: JVNDB-2017-014165 // CNNVD: CNNVD-201705-751 // NVD: CVE-2017-8990

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-8990
value: CRITICAL

Trust: 1.0

NVD: CVE-2017-8990
value: CRITICAL

Trust: 0.8

ZDI: CVE-2017-8990
value: HIGH

Trust: 0.7

CNNVD: CNNVD-201705-751
value: HIGH

Trust: 0.6

VULHUB: VHN-117193
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2017-8990
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

ZDI: CVE-2017-8990
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

VULHUB: VHN-117193
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-8990
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: ZDI: ZDI-18-777 // VULHUB: VHN-117193 // JVNDB: JVNDB-2017-014165 // CNNVD: CNNVD-201705-751 // NVD: CVE-2017-8990

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2017-8990

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201705-751

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201705-751

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-014165

PATCH
title:hpesbhf03852en_usurl:https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03852en_us
Trust: 0.8
title:Hewlett Packard Enterprise has issued an update to correct this vulnerability.url:https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03852en_us
Trust: 0.7
sources:
            
            
            ZDI: ZDI-18-777 // 
            
            
            
            JVNDB: JVNDB-2017-014165

EXTERNAL IDS
db:NVDid:CVE-2017-8990
Trust: 3.2
db:SECTRACKid:1040988
Trust: 1.1
db:JVNDBid:JVNDB-2017-014165
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-5671
Trust: 0.7
db:ZDIid:ZDI-18-777
Trust: 0.7
db:CNNVDid:CNNVD-201705-751
Trust: 0.7
db:VULHUBid:VHN-117193
Trust: 0.1
sources:
            
            
            ZDI: ZDI-18-777 // 
            
            
            
            VULHUB: VHN-117193 // 
            
            
            
            JVNDB: JVNDB-2017-014165 // 
            
            
            
            CNNVD: CNNVD-201705-751 // 
            
            
            
            NVD: CVE-2017-8990

REFERENCES
url:http://www.securitytracker.com/id/1040988
Trust: 1.1
url:https://support.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-hpesbhf03852en_us
Trust: 1.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-8990
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-8990
Trust: 0.8
url:https://support.hpe.com/hpsc/doc/public/display?docid=hpesbhf03852en_us
Trust: 0.7
url:https://support.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-hpesbhf03852en_us
Trust: 0.7
sources:
            
            
            ZDI: ZDI-18-777 // 
            
            
            
            VULHUB: VHN-117193 // 
            
            
            
            JVNDB: JVNDB-2017-014165 // 
            
            
            
            CNNVD: CNNVD-201705-751 // 
            
            
            
            NVD: CVE-2017-8990

CREDITS
sztivi
Trust: 0.7
sources:
            
            
            ZDI: ZDI-18-777

SOURCES
db:ZDIid:ZDI-18-777
db:VULHUBid:VHN-117193
db:JVNDBid:JVNDB-2017-014165
db:CNNVDid:CNNVD-201705-751
db:NVDid:CVE-2017-8990

LAST UPDATE DATE
2024-11-23T22:38:04.814000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-18-777date:2018-07-26T00:00:00
db:VULHUBid:VHN-117193date:2018-10-05T00:00:00
db:JVNDBid:JVNDB-2017-014165date:2018-11-01T00:00:00
db:CNNVDid:CNNVD-201705-751date:2018-08-07T00:00:00
db:NVDid:CVE-2017-8990date:2024-11-21T03:35:08.007

SOURCES RELEASE DATE
db:ZDIid:ZDI-18-777date:2018-07-26T00:00:00
db:VULHUBid:VHN-117193date:2018-08-06T00:00:00
db:JVNDBid:JVNDB-2017-014165date:2018-11-01T00:00:00
db:CNNVDid:CNNVD-201705-751date:2017-05-17T00:00:00
db:NVDid:CVE-2017-8990date:2018-08-06T20:29:01.087