CVE-2020-11857
📋 TL;DR
CVE-2020-11857 is an authorization bypass vulnerability in Micro Focus Operation Bridge Reporter (OBR) that allows remote attackers to access the OBR host as a non-admin user by exploiting default credentials. This affects OBR version 10.40 and earlier. Attackers can gain unauthorized access to sensitive system information and potentially escalate privileges.
💻 Affected Systems
- Micro Focus Operation Bridge Reporter
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to access all OBR data, modify configurations, install malware, and pivot to other systems in the network.
Likely Case
Unauthorized access to sensitive monitoring data, configuration files, and potential privilege escalation to administrative control of the OBR system.
If Mitigated
Limited access to non-critical information if proper network segmentation and access controls are implemented.
🎯 Exploit Status
Exploitation requires only knowledge of default credentials and network access to the OBR system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.41 or later
Vendor Advisory: https://softwaresupport.softwaregrp.com/doc/KM03710590
Restart Required: Yes
Instructions:
1. Upgrade to OBR version 10.41 or later. 2. Follow vendor instructions for installation. 3. Restart the OBR service. 4. Verify the fix by checking version and attempting to use default credentials.
🔧 Temporary Workarounds
Change Default Credentials
allImmediately change the default password for the 'shrboadmin' account to a strong, unique password.
Use OBR administrative interface to change 'shrboadmin' password
Network Access Restriction
allRestrict network access to OBR systems to only authorized management networks.
Configure firewall rules to limit access to OBR ports (typically 8080, 8443)
🧯 If You Can't Patch
- Immediately change all default credentials, especially for 'shrboadmin' account
- Implement strict network segmentation and firewall rules to limit access to OBR systems
🔍 How to Verify
Check if Vulnerable:
Attempt to authenticate to OBR using default credentials (username: shrboadmin, password: shrboadmin) via web interface or API.Check Version:
Check OBR web interface login page or administrative console for version information.Verify Fix Applied:
Verify OBR version is 10.41 or later and default credentials no longer work. Test authentication with changed credentials.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login with 'shrboadmin' account
- Authentication events from unexpected IP addresses
Network Indicators:
- Unusual traffic patterns to OBR web ports (8080, 8443) from unauthorized sources
SIEM Query:
source="OBR" AND (event_type="authentication" AND user="shrboadmin") OR (event_type="configuration_change" AND user="shrboadmin")🔗 References
- http://packetstormsecurity.com/files/162407/Micro-Focus-Operations-Bridge-Reporter-shrboadmin-Default-Password.html
- https://softwaresupport.softwaregrp.com/doc/KM03710590
- https://www.zerodayinitiative.com/advisories/ZDI-20-1215/
- http://packetstormsecurity.com/files/162407/Micro-Focus-Operations-Bridge-Reporter-shrboadmin-Default-Password.html
- https://softwaresupport.softwaregrp.com/doc/KM03710590
- https://www.zerodayinitiative.com/advisories/ZDI-20-1215/
