HP System Supervisor, software program that permits IT directors to handle HP Skinny Shopper gadgets, comes with a backdoor database person account that undermines community safety, a UK-based guide has warned.
Nicky Bloor, founding father of Cognitous Cyber Safety, reviews that an HP Inc programmer seems to have arrange an insecure person account in a database inside HP System Supervisor (HPDM). He discovered that the account may be exploited to attain privilege escalation and, along with different flaws, acquire unauthorized distant command execution as SYSTEM.
That is unhealthy: if you happen to can attain a weak set up of this gadget supervisor on a community, you may acquire admin-level management over its machine and the skinny purchasers it controls. HPDM usually runs on a Home windows-powered server, and directs a number of Home windows purchasers.
Bloor instructed The Reg on Tuesday he had been trying into the safety of HPDM and noticed a collection of weaknesses he was in a position to exploit. Essentially the most regarding of those, he stated, was a backdoor database person account, which he recognized by analyzing a log file included with the software program. It seems this log file particulars operations carried out on the gadget supervisor’s PostgreSQL database in the course of the software program’s growth, revealing the existence of the hidden person account.
Anybody with entry to a server the place HP System Supervisor is put in may use this person account to realize full management over the server
“This was a privileged person account with a password consisting of a single house character,” Bloor stated. “The one reference to the person account was in a database log file included with the HP System Supervisor software program the place log entries may be seen courting earlier than I even put in the software program.”
Bloor instructed us the log entries reveal a failed try to authenticate because the database person account utilized by HPDM. That is adopted by a log entry related to a brand new person account and what seems just like the HP programmer attempting to restrict the backdoor person account from getting used to create different new accounts, he stated, as if the developer have been attempting to restrict the safety penalties of accessing the backdoor account.
“Anybody with entry to a server the place HP System Supervisor is put in may use this person account to realize full management over the server,” stated Bloor, noting that this is able to qualify as native privilege escalation.
HP admits to backdoors in storage merchandise
“Nevertheless, I managed to search out further vulnerabilities in HP System Supervisor’s default configuration that imply the vulnerability may be exploited remotely in order that anybody who can connect with a server that is working HPDM can acquire full management of that server,” he stated. “From there, HPDM offers full administrative management over the HP skinny purchasers within the setting.”
Bloor stated this vulnerability is current in present variations of the HPDM software program, and he is undecided which earlier variations of software program may be affected.
He added that he contacted HP on August 3, 2020, to reveal particulars concerning the vulnerabilities, and requested the IT large to verify it understood the implications of the flaw, to suggest the way it supposed to resolve the problem, and to supply an affordable timeframe to implement the repair.
HP was unresponsive, he stated, till he defined that he deliberate to publish particulars in 30 days if the company continued to stonewall. At that time, he stated, HP replied to say the trade commonplace for coordinated disclosure of vulnerabilities is 90 days and to ask for that a lot time to supply a repair, with out answering any of Bloor’s questions.
That was on August 19, 2020. At that time, Bloor stated, HP hadn’t confirmed it had reviewed and understood the vulnerability reviews, and hadn’t proposed any mitigation nor decision timeline.
Bloor was not inclined to only wait round for HP. “I am paid to assist individuals safe their IT environments and functions, however I additionally do not have the time to waste chasing HP and hoping that sometime in ’90+ days’ they may produce a patch that can assist me to safe my purchasers’ environments,” he stated. “The repair for probably the most extreme a part of the problem is trivial so 90+ days is a joke.”
To underscore how straightforward the problem is to repair, he described the method in a collection of tweets.
PSA: Do you or your purchasers use HP skinny purchasers and handle them with HP System Supervisor? I strongly advise you, firstly, to go online to all servers working HP System Supervisor and set a powerful password for the “dm_postgres” person of the “hpdmdb” Postgres database on TCP port 40006 1/4
— Nicky Bloor (@nickstadb) September 29, 2020
In an e-mail to The Register on Tuesday evening, HP acknowledged the safety blunder – assigning it a number of vulnerability IDs: CVE-2020-6925 (weak cipher), CVE-2020-6926 (distant technique invocation), and CVE-2020-6927 (elevation of privilege) – and stated it has now printed an advisory to alert prospects. That CVE-2020-6926 bug is a 9.9 out of 10 when it comes to CVSS severity, by the best way.
Sysadmins are urged to replace to HP System Supervisor 5.0.4, or HP System Supervisor 4.7 Service Pack 13 when it’s out there, to deal with the vulnerabilities.
All variations of HP System Supervisor are affected by the weak cipher and distant invocation holes, and 5.0.Zero to five.0.Three endure from the privilege-escalation flaw. ®
webroot announcements,webroot support forum,latest version of webroot secureanywhere,adv200009