CVE-2016-8511

Vulnerability

The RPCServlet (com.rendition.web.servlets.RpcServlet.class) in HPE Network Automation versions 9.1x, 9.2x, 10.00, 10.00.01, 10.00.02, 10.10, 10.11, 10.11.01, and 10.20 allows unauthenticated remote attackers to invoke arbitrary static functions via crafted serialized Java objects [1]. The servlet is accessible via HTTP GET/POST requests to the /call endpoint on the admin server [1]. By default, the servlet only processes requests from localhost (127.0.0.1 and ::1), but the access control list (rpc/allowed_ips) is not defined by default, meaning only localhost is permitted [1].

Exploitation

An attacker must first get a user with HP Network Automation installed to visit a malicious webpage or open a crafted link [1]. This leverages the same-origin bypass or XSS-like attack vector to send crafted requests to the local RPCServlet [1]. The attacker can then exploit Java deserialization using common gadget libraries such as Apache Commons-Collections or Commons-BeanUtils to execute arbitrary commands via Runtime.getRuntime().exec() [1]. No authentication is required beyond user interaction (e.g., clicking a link).

Impact

Successful exploitation results in arbitrary code execution in the context of the user running the HP Network Automation service [1]. This can lead to full compromise of the host, including data exfiltration, installation of malware, or lateral movement within the network.

Mitigation

HPE released fixed versions 10.00.021, 10.11.011, and 10.20.001 to address the vulnerability [1]. Users should upgrade to the latest patched version. If immediate patching is not possible, restrict access to the /call endpoint using network-level controls and ensure users do not browse untrusted websites from systems running the vulnerable software [1].