Vulnerability Details : CVE-2016-9796
Alcatel-Lucent OmniVista 8770 2.0 through 3.0 exposes different ORBs interfaces, which can be queried using the GIOP protocol on TCP port 30024. An attacker can bypass authentication, and OmniVista invokes methods (AddJobSet, AddJob, and ExecuteNow) that can be used to run arbitrary commands on the server, with the privilege of NT AUTHORITY\SYSTEM on the server. NOTE: The discoverer states "The vendor position is to refer to the technical guidelines of the product security deployment to mitigate this issue, which means applying proper firewall rules to prevent unauthorised clients to connect to the OmniVista server."
Vulnerability category: BypassGain privilege
Exploit prediction scoring system (EPSS) score for CVE-2016-9796
Probability of exploitation activity in the next 30 days: 7.37%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 93 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2016-9796
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2016-9796
-
Assigned by: nvd@nist.gov (Primary)
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-9796
-
http://www.securityfocus.com/bid/94649
Alcatel-Lucent OmniVista 8770 CVE-2016-9796 Remote Code Execution Vulnerability
-
http://blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html
Alcatel Lucent Omnivista or: How I learned GIOP and gained Unauthenticated Remote Code Execution (CVE-2016-9796)Exploit;Third Party Advisory
-
https://www.youtube.com/watch?v=aq37lQKa9sk
Alcatel Lucent Omnivista 8770 Unauthenticated Remote Code Execution - YouTubeExploit
-
https://github.com/malerisch/omnivista-8770-unauth-rce
GitHub - malerisch/omnivista-8770-unauth-rce: Omnivista 8770 Unauthenticated Remote Code Execution - PoCThird Party Advisory
-
https://www.exploit-db.com/exploits/40862/
Alcatel Lucent Omnivista 8770 - Remote Code Execution
Products affected by CVE-2016-9796
- cpe:2.3:a:alcatel-lucent:omnivista_8770_network_management_system:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:alcatel-lucent:omnivista_8770_network_management_system:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:alcatel-lucent:omnivista_8770_network_management_system:2.6:*:*:*:*:*:*:*