<<< Date Index >>>     <<< Thread Index >>>

[SRC-Telindus advisory] - HP System Management Homepage Remote Unauthorized Access



HP System Management Homepage Remote Unauthorized Access
--------------------------------------------------------

[Vulnerability]: Remote Authentication Bypass
[Product]:  CompaqHTTPServer/9.9 HP System Management Homepage 2.1.3.132
and above
[Platform]: Microsoft® Windows® - Linux operating systems (IA32 and
Itanium Processor Family) - Tru64 UNIX v5.1A  and above (according to HP)
[Reference(s)]: http://src.telindus.com/articles/hpsm_vulnerability.html
[Date]: Feb 20 2006
[Date of report to vendor]:  Dec 12 2005

--------------------------------------------------------

[Vulnerability summary]: The HP System Management Homepage is a
web-based interface that consolidates and simplifies the management of
individual ProLiant and Integrity servers running Microsoft Windows or
Linux operating systems. By aggregating data from HP Insight Management
Agents and other management tools, the System Management Homepage
provides a secure and intuitive interface to review in-depth hardware
configuration and status data, performance metrics, system thresholds
and software version control information. The System Management Homepage
can also be used to access the HP Lights-Out Management processor on
ProLiant and Integrity servers. (http://h18004.www1.hp.com/products/servers/management/agents/).
Access to HP System Management Homepage requires credentials posting ;
with the trust mode settled to "Trust All" configuration, this
authentication can be bypassed by sending a crafted URL. Therefore, a
potential aggressor can manage vulnerable host (modification of hardware
configuration, of tasks, of allowed IP range, shutdown, etc. and many
actions from there such as surrounding network attacks).

[Vulnerability impact]: Remote administration throught web management
interface (modification of hardware configuration, of tasks, of allowed
IP range, shutdown, etc., and many actions from there such as
surrounding network attacks)

----------------------------------------------------------------------

[Vendor fix]:  None

[Vendor response]: [..] Set the Trust level to "Trust by Certificates". This way only SIM servers with the appropriate level of access can do any access with STE or SSO. This will not prevent an administrator from logging into the SMH either remotely or locally. The SMH and SIM documentation have more information on Trust Levels. The SMH Security setup selection for trusts indicates that the only recommended and truly secure trust level is by certificates. http://www.hp.com/wwsolutions/misc/hpsim-helpfiles/mxhelp/mxportal/en/admin_security_about_secureTaskExecution.html#N1004B
(STE definition)

----------------------------------------------------------------------

[Reported by]: TELINDUS SRC (Grégoire DE BACKER)