Hewlett Packard Enterprise has released a patch to fix a critical remote code execution vulnerability in the Windows version of their System Insight Manager.
The bug in the Federated Search and CMS Configuration (CVE-2020-7200) feature of version 7.6.x of HPE SIM, has a critical CVSS score of 9.8. According to the security advisory from HPE, customers should apply the patch or mitigations ‘as soon as possible.‘
By specially crafting an AMF protocol message, the bug in the deserialization code can be leveraged to execute arbitrary code in the context of SYSTEM on the Windows server.
This type of deserialization of untrusted data attacks occur when code that processing incoming data makes incorrect assumptions about the format of the data and assumes it to be well-formed rather than validating the input-data and coding defensively.
Users of the HPE SIM product who are not able to immediately apply the patch, can mitigate the vulnerability by disabling the Federated Search feature according to instructions supplied by HPE.
By leveraging this class of vulnerability, an attacker could perform a Return-Oriented Programming attack against the system in order to execute code or a billion-laughs attack to crash the server resulting in a denial-of-service.
You can assess your in-house developed systems to see if they are vulnerable to ‘deserialization of untrusted data’ and similar attacks with a Web Application Penetration test.