CVE-2019-11994
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to execute arbitrary manifest files via directory traversal in an API used during upgrades. It affects HPE SimpliVity/OmmiStack hyperconverged infrastructure systems running OmniStack version 3.7.9 and earlier. The API is accessible over the management network without authentication.
💻 Affected Systems
- HPE SimpliVity 380 Gen 9
- HPE SimpliVity 380 Gen 10
- HPE SimpliVity 380 Gen 10 G
- HPE SimpliVity 2600 Gen 10
- SimpliVity OmniCube
- SimpliVity OmniStack for Cisco
- SimpliVity OmniStack for Lenovo
- SimpliVity OmniStack for Dell
📦 What is this software?
Simplivity Omnistack For Cisco Firmware by Hp
View all CVEs affecting Simplivity Omnistack For Cisco Firmware →
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the hyperconverged infrastructure node, allowing attackers to execute arbitrary code with system privileges, potentially leading to data theft, system destruction, or lateral movement within the environment.
Likely Case
Remote code execution on affected nodes, enabling attackers to install malware, exfiltrate data, or disrupt operations of the hyperconverged infrastructure.
If Mitigated
No impact if systems are patched to version 3.7.10+ or the temporary workaround is properly implemented.
🎯 Exploit Status
The vulnerability requires no authentication and involves directory traversal, which is typically straightforward to exploit. Given the high CVSS score and critical nature, exploitation tools likely exist in private/underground circles.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.7.10 or later
Vendor Advisory: https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03956en_us
Restart Required: Yes
Instructions:
1. Download OmniStack version 3.7.10 or later from HPE support portal. 2. Follow HPE's standard upgrade procedures for SimpliVity/OmmiStack systems. 3. Reboot the system after upgrade completion as required by the patch.
🔧 Temporary Workarounds
Temporary API Restriction Workaround
allHPE provides a temporary workaround that restricts access to the vulnerable API until systems can be patched.
Follow instructions at: https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=mmr_sf-EN_US000061901
🧯 If You Can't Patch
- Implement the temporary workaround from HPE to restrict API access immediately.
- Isolate affected systems from untrusted networks, especially the management interfaces, using network segmentation and firewall rules.
🔍 How to Verify
Check if Vulnerable:
Check the OmniStack software version via the management interface or CLI. If version is 3.7.9 or earlier, the system is vulnerable.Check Version:
Check via SimpliVity management interface or consult HPE documentation for version checking commands specific to your deployment.Verify Fix Applied:
Verify the OmniStack software version is 3.7.10 or later after applying the patch.📡 Detection & Monitoring
Log Indicators:
- Unusual API calls to upgrade-related endpoints
- Failed directory traversal attempts in system logs
- Unexpected manifest file execution
Network Indicators:
- Unauthenticated requests to upgrade APIs on management network ports
- Traffic patterns suggesting exploitation attempts
SIEM Query:
Search for: (destination_port:management_port AND http_method:POST AND uri_path:"*upgrade*" OR "*manifest*") AND NOT (user_agent:"legitimate_tool" OR source_ip:trusted_range)