The issue fixes a critical 0-click flaw in the company’s server management software (SMS) that allowed attackers to remotely trigger code.
Hewlett Packard Enterprise (HPE) has fixed a critical flaw in its systems management software HPE Systems Insight Manager (SIM) which the company first disclosed in December. The issue could allow an attacker to perform a remote code execution (RCE) attack without requiring any user interaction.
HPE SIM is a remote support tool that enables the management and automation of various HPE servers, such as the ProLiant Gen10 and HPE ProLiant Gen9.
Following a SIM hotfix update kit release over a month ago, last Thursday, the company updated its security advisory saying it had finally addressed a flaw in its SIM card management software tracked as CVE-2020-7200 – ref: ZDI-CAN-11847.
The company warned, “the information in this Security Bulletin should be acted upon as soon as possible.”
The serious issue – with a CVSS score of 9.8 out of a maximum 10 – could allow an attacker to remotely execute code without requiring any privileges and user interaction. It impacts the latest versions (7.6.x) of HPE’s SIM software on the Windows version.
To launch an attack, a threat actor can abuse the HPE SIM’s hpsimsvc.exe process. The issue pertains to the lack of data validation during the deserialization of data when a user submits a POST request to the /simsearch/messagebroker/amfsecure page.
This module exploits a vulnerability in Commons Collection in SIM to gain remote code execution as root:
“This module exploits this vulnerability by leveraging an outdated copy of Commons Collection, namely 3.2.2, that ships with HPE SIM, to gain remote code execution as the administrative user running HPE SIM,” as Packet Storm security team explained.
The validation of user-supplied data is often not performed correctly, which can lead to the exploitation of vulnerable servers.
The validation of user-supplied data is often not performed properly, which can lead to the exploitation of vulnerable SIM software.
The provided patch must be deployed as soon as possible.