Researchers report critical flaw in Insight Cluster Management Utility

A critical remote code execution vulnerability has been discovered in HPE Insight Cluster Management Utility (CMU) v8.2 and allows unauthenticated remote code execution on the backend systems.

The vulnerability is tracked as CVE-2024-13804 (CVSS score 9.8). It exists in HPE Insight Cluster Management Utility (CMU), a tool designed for managing and monitoring high-performance computing (HPC) clusters. The flaw allows attackers to bypass authentication and execute arbitrary commands as the root user on the cluster's management node. This provides complete system access to the management node and potentially all nodes in the managed cluster.

The vulnerability was discovered by analyzing and modifying the CMU's Java client application. The Proof-of-Concept exploitation process involved:

1. Downloading and decompiling the Java client application (JNLP file and JAR)
2. Analyzing the authentication mechanism in the decompiled code
3. Identifying client-side authorization checks that could be bypassed
4. Modifying the Java files to override the isUserAdmin() function
5. Implementing code to call the ExecuteCmdLine method of the RMI model
6. Recompiling the application and removing digital signatures
7. Executing the modified client to gain remote code execution

The modified client connects to the CMU server over port 1099 (Java RMI) and can execute commands on the backend without authentication.

HPE Insight Cluster Management Utility is End-of-Life and will not receive security updates to address this vulnerability. The software contains a design flaw that would require significant effort to fix.

For organizations still running CMU in their environment, the primary recommendation is to isolate it from the rest of the network at the network level to limit exposure to potential attacks.