HPE Insight Cluster Management Utility Unauthenticated Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in HPE Insight Cluster Management Utility (CMU) version 8.2. This vulnerability allows unauthenticated attackers to execute commands on the backend server with root privileges, potentially leading to full system access. The issue arises from an authentication bypass in the Java client application, which can be exploited by manipulating the application's authorization checks and exploiting Java RMI functionality.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server where HPE Insight Cluster Management Utility is running. The executed commands are run as the root user, providing full system access. Additionally, since HPE CMU is used for managing HPC clusters, this could result in complete control over all nodes within the cluster.

Reproduction

The vulnerability can be reproduced by downloading the Java client application from the HPE Insight Cluster Management Utility web interface. Once the application is launched, it connects to the backend server over port 1099 using Java RMI. After decompiling the client application and modifying it to bypass authentication checks, the application can be recompiled and executed. This modified application can then be used to call RMI methods that execute commands on the server, such as 'ifconfig', demonstrating the remote code execution capability.

Remediation

HPE Insight Cluster Management Utility is no longer supported and will not receive updates. It is recommended to isolate the application from the rest of the network to limit exposure.