CVE-2020-7156
📋 TL;DR
This CVE describes a remote code execution vulnerability in HPE Intelligent Management Center (iMC) where an attacker can inject malicious expression language content through the faultinfo_content parameter. Attackers can execute arbitrary code on affected systems with high privileges. Organizations running iMC PLAT versions prior to 7.3 (E0705P07) are affected.
💻 Affected Systems
- HPE Intelligent Management Center (iMC)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands with SYSTEM/root privileges, install malware, exfiltrate sensitive data, and pivot to other network systems.
Likely Case
Attackers gain remote code execution on the iMC server, potentially compromising network management credentials, manipulating network configurations, and establishing persistence.
If Mitigated
With proper network segmentation and access controls, impact limited to the iMC management system itself without lateral movement to production systems.
🎯 Exploit Status
Expression language injection vulnerabilities typically have low exploitation complexity. While no public PoC exists, the vulnerability type suggests weaponization is likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: iMC PLAT 7.3 (E0705P07) or later
Vendor Advisory: https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbnw04036en_us
Restart Required: Yes
Instructions:
1. Download iMC PLAT 7.3 (E0705P07) or later from HPE support portal. 2. Backup current iMC configuration and database. 3. Stop all iMC services. 4. Apply the patch/upgrade following HPE documentation. 5. Restart iMC services and verify functionality.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to iMC management interface to trusted IP addresses only
# Use firewall rules to restrict access
# Example: iptables -A INPUT -p tcp --dport 8080 -s trusted_ip_range -j ACCEPT
# iptables -A INPUT -p tcp --dport 8080 -j DROP
🧯 If You Can't Patch
- Isolate iMC server in a dedicated management VLAN with strict firewall rules limiting access to authorized administrators only
- Implement web application firewall (WAF) rules to block expression language injection patterns and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check iMC version via web interface (Help → About) or command line: On Windows: Check iMC installation directory version files. On Linux: Check /opt/iMC/version or similar installation path.Check Version:
Windows: type "%IMC_HOME%\client\web\apps\imc\WEB-INF\classes\version.properties" | findstr version
Linux: cat /opt/iMC/client/web/apps/imc/WEB-INF/classes/version.properties | grep versionVerify Fix Applied:
Verify version is iMC PLAT 7.3 (E0705P07) or later. Test that faultinfo_content parameter properly sanitizes input.📡 Detection & Monitoring
Log Indicators:
- Unusual expression language patterns in iMC logs
- Unexpected process execution from iMC service account
- Failed authentication attempts followed by successful exploitation
Network Indicators:
- HTTP requests containing expression language injection patterns to iMC endpoints
- Outbound connections from iMC server to unexpected destinations
SIEM Query:
source="iMC_logs" AND ("faultinfo_content" OR "expression language" OR "${}") AND status=200