CVE-2013-4810
Published: 16 September 2013
Summary
CVE-2013-4810 is a critical-severity Code Injection (CWE-94) vulnerability in Hp Procurve Manager. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management contain a remote code execution vulnerability tracked as CVE-2013-4810. The flaw, assigned CWE-94, permits unauthenticated attackers to supply a marshalled object to the EJBInvokerServlet or JMXInvokerServlet endpoints, resulting in arbitrary code execution on the server. It carries a CVSS 3.1 score of 9.8 and is noted as likely duplicative of earlier issues in similar servlet invoker components.
An attacker with network access can send a crafted request containing the malicious marshalled object directly to the exposed servlets. Successful exploitation grants the attacker the ability to execute arbitrary code with the privileges of the affected application process, potentially leading to full system compromise without requiring authentication or user interaction.
HP published remediation guidance in security bulletin c03897409, while additional details appear in Secunia advisory 54788 and SecurityTracker entry 1029010. The references also point to related disclosures on the Bugtraq mailing list that discuss the same class of invoker servlet exposure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-4655
Vulnerability details
HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management allow remote attackers to execute arbitrary code via a marshalled object to (1) EJBInvokerServlet or (2) JMXInvokerServlet, aka ZDI-CAN-1760. NOTE:…
more
this is probably a duplicate of CVE-2007-1036, CVE-2010-0738, and/or CVE-2012-0874.
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces authorization checks on EJBInvokerServlet and JMXInvokerServlet so unauthenticated marshalled-object requests are rejected before code execution occurs.
Boundary-protection rules can block external network traffic to the exposed invoker servlets, eliminating the remote attack vector described in the CVE.
Least-functionality configuration disables or removes unnecessary invoker servlets, directly reducing the attack surface that permits unauthenticated RCE.