CVE-2020-11854

Arbitrary code execution vlnerability in Operation bridge Manager, Application Performance Management and Operations Bridge (containerized) products.

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Arbitrary code execution vlnerability in Operation bridge Manager, Application Performance Management and Operations Bridge (containerized) vulnerability in Micro Focus products products Operation Bridge Manager, Operation Bridge (containerized) and Application Performance Management. The vulneravility affects: 1.) Operation Bridge Manager versions 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.63,10.62, 10.61, 10.60, 10.12, 10.11, 10.10 and all earlier versions. 2.) Operations Bridge (containerized) 2020.05, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05. 2018.02 and 2017.11. 3.) Application Performance Management versions 9,51, 9.50 and 9.40 with uCMDB 10.33 CUP 3. The vulnerability could allow Arbitrary code execution.

Una vulnerabilidad de ejecución de código arbitraria en Operation Bridge Manager, Application Performance Management y Operations Bridge (en contenedores). Vulnerabilidad en los productos Micro Focus Operation Bridge Manager, Operation Bridge (containerized) y Application Performance Management. La vulnerabilidad afecta: 1.) Operation Bridge Manager versiones 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.63,10.62, 10.61, 10.60, 10.12, 10.11, 10.10 y todas las versiones anteriores. 2.) Operations Bridge (en contenedores) versiones: 2020.05, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05. 2018.02 y 2017.11. 3.) Application Performance Management versiones: 9,51, 9.50 y 9.40 con uCMDB versión 10.33 CUP 3. La vulnerabilidad podría permitir una ejecución de código Arbitraria

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Micro Focus Operations Bridge Manager. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the product's authentication mechanism. The product contains a hard-coded password for the diagnostics user account. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.

*Credits: Micro Focus would like to thank Pedro Ribeiro from Agile Information Security working with Trend Micro Zero Day Initiative for discovering and reporting the vulnerability

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-04-16 CVE Reserved
2020-10-27 CVE Published
2024-08-04 CVE Updated
2024-10-20 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-798: Use of Hard-coded Credentials

CAPEC

References (5)

URL	Tag	Source
http://packetstormsecurity.com/files/161182/Micro-Focus-UCMDB-Remote-Code-Execution.html	X_refsource_misc
https://softwaresupport.softwaregrp.com/doc/KM03747657	X_refsource_misc
https://softwaresupport.softwaregrp.com/doc/KM03747658	X_refsource_misc
https://softwaresupport.softwaregrp.com/doc/KM03747854	X_refsource_misc
https://www.zerodayinitiative.com/advisories/ZDI-20-1287	X_refsource_misc

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Microfocus Search vendor "Microfocus"		Application Performance Management Search vendor "Microfocus" for product "Application Performance Management"				9.50 Search vendor "Microfocus" for product "Application Performance Management" and version "9.50"		-		Affected
Microfocus Search vendor "Microfocus"		Application Performance Management Search vendor "Microfocus" for product "Application Performance Management"				9.51 Search vendor "Microfocus" for product "Application Performance Management" and version "9.51"		-		Affected
Microfocus Search vendor "Microfocus"		Operations Bridge Search vendor "Microfocus" for product "Operations Bridge"				2017.11 Search vendor "Microfocus" for product "Operations Bridge" and version "2017.11"		-		Affected
Microfocus Search vendor "Microfocus"		Operations Bridge Search vendor "Microfocus" for product "Operations Bridge"				2018.02 Search vendor "Microfocus" for product "Operations Bridge" and version "2018.02"		-		Affected
Microfocus Search vendor "Microfocus"		Operations Bridge Search vendor "Microfocus" for product "Operations Bridge"				2018.05 Search vendor "Microfocus" for product "Operations Bridge" and version "2018.05"		-		Affected
Microfocus Search vendor "Microfocus"		Operations Bridge Search vendor "Microfocus" for product "Operations Bridge"				2018.08 Search vendor "Microfocus" for product "Operations Bridge" and version "2018.08"		-		Affected
Microfocus Search vendor "Microfocus"		Operations Bridge Search vendor "Microfocus" for product "Operations Bridge"				2018.11 Search vendor "Microfocus" for product "Operations Bridge" and version "2018.11"		-		Affected
Microfocus Search vendor "Microfocus"		Operations Bridge Search vendor "Microfocus" for product "Operations Bridge"				2019.05 Search vendor "Microfocus" for product "Operations Bridge" and version "2019.05"		-		Affected
Microfocus Search vendor "Microfocus"		Operations Bridge Search vendor "Microfocus" for product "Operations Bridge"				2019.08 Search vendor "Microfocus" for product "Operations Bridge" and version "2019.08"		-		Affected
Microfocus Search vendor "Microfocus"		Operations Bridge Search vendor "Microfocus" for product "Operations Bridge"				2020.05 Search vendor "Microfocus" for product "Operations Bridge" and version "2020.05"		-		Affected
Microfocus Search vendor "Microfocus"		Operations Bridge Manager Search vendor "Microfocus" for product "Operations Bridge Manager"				<= 10.10 Search vendor "Microfocus" for product "Operations Bridge Manager" and version " <= 10.10"		-		Affected
Microfocus Search vendor "Microfocus"		Operations Bridge Manager Search vendor "Microfocus" for product "Operations Bridge Manager"				10.11 Search vendor "Microfocus" for product "Operations Bridge Manager" and version "10.11"		-		Affected
Microfocus Search vendor "Microfocus"		Operations Bridge Manager Search vendor "Microfocus" for product "Operations Bridge Manager"				10.12 Search vendor "Microfocus" for product "Operations Bridge Manager" and version "10.12"		-		Affected
Microfocus Search vendor "Microfocus"		Operations Bridge Manager Search vendor "Microfocus" for product "Operations Bridge Manager"				10.60 Search vendor "Microfocus" for product "Operations Bridge Manager" and version "10.60"		-		Affected
Microfocus Search vendor "Microfocus"		Operations Bridge Manager Search vendor "Microfocus" for product "Operations Bridge Manager"				10.61 Search vendor "Microfocus" for product "Operations Bridge Manager" and version "10.61"		-		Affected
Microfocus Search vendor "Microfocus"		Operations Bridge Manager Search vendor "Microfocus" for product "Operations Bridge Manager"				10.62 Search vendor "Microfocus" for product "Operations Bridge Manager" and version "10.62"		-		Affected
Microfocus Search vendor "Microfocus"		Operations Bridge Manager Search vendor "Microfocus" for product "Operations Bridge Manager"				10.63 Search vendor "Microfocus" for product "Operations Bridge Manager" and version "10.63"		-		Affected
Microfocus Search vendor "Microfocus"		Operations Bridge Manager Search vendor "Microfocus" for product "Operations Bridge Manager"				2018.05 Search vendor "Microfocus" for product "Operations Bridge Manager" and version "2018.05"		-		Affected
Microfocus Search vendor "Microfocus"		Operations Bridge Manager Search vendor "Microfocus" for product "Operations Bridge Manager"				2018.11 Search vendor "Microfocus" for product "Operations Bridge Manager" and version "2018.11"		-		Affected
Microfocus Search vendor "Microfocus"		Operations Bridge Manager Search vendor "Microfocus" for product "Operations Bridge Manager"				2019.05 Search vendor "Microfocus" for product "Operations Bridge Manager" and version "2019.05"		-		Affected
Microfocus Search vendor "Microfocus"		Operations Bridge Manager Search vendor "Microfocus" for product "Operations Bridge Manager"				2019.11 Search vendor "Microfocus" for product "Operations Bridge Manager" and version "2019.11"		-		Affected
Microfocus Search vendor "Microfocus"		Operations Bridge Manager Search vendor "Microfocus" for product "Operations Bridge Manager"				2020.05 Search vendor "Microfocus" for product "Operations Bridge Manager" and version "2020.05"		-		Affected
Microfocus Search vendor "Microfocus"		Application Performance Management Search vendor "Microfocus" for product "Application Performance Management"				9.40 Search vendor "Microfocus" for product "Application Performance Management" and version "9.40"		-		Affected
Microfocus Search vendor "Microfocus"		Universal Cmdb Search vendor "Microfocus" for product "Universal Cmdb"				10.33 Search vendor "Microfocus" for product "Universal Cmdb" and version "10.33"		cumulative_update_package_3		Safe