Hewlett Packard Release Patch For Critical Flaw in Its HPE Servers

Hewlett Packard Releases Patch For Critical Flaw in Its HPE Servers

The issue fixes a critical 0-click flaw in the company’s server management software (SMS) that allowed attackers to remotely trigger code.

Hewlett Packard Enterprise (HPE) has fixed a critical flaw in its systems management software HPE Systems Insight Manager (SIM) which the company first disclosed in December. The issue could allow an attacker to perform a remote code execution (RCE) attack without requiring any user interaction.

HPE SIM is a remote support tool that enables the management and automation of various HPE servers, such as the ProLiant Gen10 and HPE ProLiant Gen9.

Following a SIM hotfix update kit release over a month ago, last Thursday, the company updated its security advisory saying it had finally addressed a flaw in its SIM card management software tracked as CVE-2020-7200 – ref: ZDI-CAN-11847.

The company warned, “the information in this Security Bulletin should be acted upon as soon as possible.”

The serious issue – with a CVSS score of 9.8 out of a maximum 10 – could allow an attacker to remotely execute code without requiring any privileges and user interaction. It impacts the latest versions (7.6.x) of HPE’s SIM software on the Windows version.

To launch an attack, a threat actor can abuse the HPE SIM’s hpsimsvc.exe process. The issue pertains to the lack of data validation during the deserialization of data when a user submits a POST request to the /simsearch/messagebroker/amfsecure page.

This module exploits a vulnerability in Commons Collection in SIM to gain remote code execution as root:

“This module exploits this vulnerability by leveraging an outdated copy of Commons Collection, namely 3.2.2, that ships with HPE SIM, to gain remote code execution as the administrative user running HPE SIM,” as Packet Storm security team explained

The validation of user-supplied data is often not performed correctly, which can lead to the exploitation of vulnerable servers.

The validation of user-supplied data is often not performed properly, which can lead to the exploitation of vulnerable SIM software.

The provided patch must be deployed as soon as possible.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share:

Related ARTICLES

© Cyber Intel 2024, All Rights Reserved.

CaTEGORIES

Quick Nav

Facebook-f Twitter Linkedin-in