Alcatel-Lucent OmniVista 8770 2.0 through 3.0 exposes different ORBs interfaces, which can be queried using the GIOP protocol on TCP port 30024. An attacker can bypass authentication, and OmniVista invokes methods (AddJobSet, AddJob, and ExecuteNow) that can be used to run arbitrary commands on the server, with the privilege of NT AUTHORITY\SYSTEM on the server. NOTE: The discoverer states "The vendor position is to refer to the technical guidelines of the product security deployment to mitigate this issue, which means applying proper firewall rules to prevent unauthorised clients to connect to the OmniVista server."
References
Link | Resource |
---|---|
http://blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html | Exploit Third Party Advisory |
http://www.securityfocus.com/bid/94649 | |
https://github.com/malerisch/omnivista-8770-unauth-rce | Third Party Advisory |
https://www.exploit-db.com/exploits/40862/ | |
https://www.youtube.com/watch?v=aq37lQKa9sk | Exploit |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2016-12-03T06:28:00
Updated: 2017-09-02T09:57:01
Reserved: 2016-12-02T00:00:00
Link: CVE-2016-9796
JSON object: View
NVD Information
Status : Modified
Published: 2016-12-03T06:59:00.167
Modified: 2017-09-03T01:29:15.517
Link: CVE-2016-9796
JSON object: View
Redhat Information
No data.