Login Sign Up

CVE-2018-15764

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

Dell EMC ESRS Policy Manager versions 6.8 and prior contain a remote code execution vulnerability due to improper JMX service configurations. A remote unauthenticated attacker can exploit this to execute arbitrary code on the server with JVM privileges. This affects all systems running vulnerable versions of ESRS Policy Manager.

💻 Affected Systems

Products:
  • Dell EMC ESRS Policy Manager
Versions: 6.8 and prior versions
Operating Systems: All supported OS for ESRS Policy Manager
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default JMX service configurations that allow unauthenticated remote access.

📦 What is this software?

Esrs Policy Manager by Emc

View all CVEs affecting Esrs Policy Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to install malware, steal sensitive data, pivot to other systems, or disrupt operations.

🟠

Likely Case

Attacker gains full control of the ESRS Policy Manager server, potentially accessing managed device credentials and configuration data.

🟢

If Mitigated

Limited impact if system is isolated, patched, or has network controls preventing external access to JMX services.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to JMX services (typically port 1616 or 1617). Public exploit code exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 6.9 or later

Vendor Advisory: https://www.dell.com/support/security/en-us/details/536363/DSA-2018-172-Dell-EMC-ESRS-Policy-Manager-Multiple-Security-Vulnerabilities

Restart Required: Yes

Instructions:

1. Download ESRS Policy Manager version 6.9 or later from Dell support portal. 2. Backup current configuration and data. 3. Install the update following Dell's upgrade documentation. 4. Restart the ESRS Policy Manager service.

🔧 Temporary Workarounds

Block JMX Ports at Firewall

linux

Restrict network access to JMX service ports (typically 1616, 1617) to only trusted management systems.

iptables -A INPUT -p tcp --dport 1616 -j DROP
iptables -A INPUT -p tcp --dport 1617 -j DROP

Disable Remote JMX Access

all

Modify JVM startup parameters to disable remote JMX management interfaces.

Remove -Dcom.sun.management.jmxremote and related JMX parameters from startup scripts

🧯 If You Can't Patch

  • Isolate the ESRS Policy Manager system in a restricted network segment with no internet access.
  • Implement strict firewall rules allowing only necessary connections from trusted management stations.

🔍 How to Verify

Check if Vulnerable:

Check ESRS Policy Manager version via web interface or command: java -jar esrs-policy-manager.jar --version

Check Version:

java -jar esrs-policy-manager.jar --version

Verify Fix Applied:

Verify version is 6.9 or later and check that JMX ports are not accessible from untrusted networks.

📡 Detection & Monitoring

Log Indicators:

  • Unusual JMX connection attempts in application logs
  • Unexpected Java process execution
  • Authentication failures for JMX services

Network Indicators:

  • Connection attempts to port 1616/1617 from untrusted sources
  • JMX protocol traffic containing suspicious commands

SIEM Query:

source_port=1616 OR source_port=1617 AND (dest_ip=ESRS_Server_IP) AND action=blocked

📊 Metadata

CVE ID: CVE-2018-15764
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: September 28, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON