Search This Blog

Showing posts with label HPE. Show all posts

HPE: Sudo Flaw Grants Attackers Root Privileges to Aruba Platform

 

A vulnerability in Sudo, open-source software used within HP's Aruba AirWave management platform, can enable any unprivileged and unauthorized local user to acquire root privileges on a vulnerable host, as warned by Hewlett Packard Enterprise (HPE). 

According to a recent HPE security advisory, the Sudo vulnerability may be part of a "chained attack." An attacker gains a foothold with fewer rights via another flaw and then exploits this to escalate privileges. 

The Aruba AirWave management platform for wired and wireless infrastructures is HPE's real-time monitoring and security warning system. In January, researchers at Qualys discovered the Sudo issue (CVE-2021-3156) and think it affects millions of endpoint devices and systems. 

According to the Sudo license, Sudo is software used by various platforms that allows a system admin to distribute power to give particular users (or groups of users) the ability to perform certain (or all) commands as root or another user.” 

Mehul Revankar, Qualys' VP of Product Management and Engineering, defined the Sudo bug as "perhaps the most significant Sudo vulnerability in recent memory (both in terms of scope and impact) and has been hiding in plain sight for nearly 10 years" in a research note at the time it was discovered. 

For HPE, the company officially reported the issue last week, stating that it impacted the AirWave management platform prior to version 8.2.13.0, released on June 18, 2021. 

According to the security bulletin, “A vulnerability in the command line parameter parsing code of Sudo could allow an attacker with access to Sudo to execute commands or binaries with root privileges.” 

The Sudo vulnerability has been termed "Baron Samedit" by Qualys researchers, who claim the flaw was introduced into the Sudo code in July 2011. The problem was first thought to primarily affect Linux and BSD operating systems, including Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33. (Sudo 1.9.2). 

Since then, further security advisories have been issued by other companies. HPE isn't the first company to report a Sudo dependency in its code, and it probably won't be the last. 

However, in February, an Apple security advisory warned that the Sudo vulnerability was present in macOS (macOS Big Sur 11.2, macOS Catalina 10.15.7, macOS Mojave 10.14.6). Following the announcement, Apple released a Sudo patch (Sudo version 1.9.5p2) to fix the vulnerability. 

Mitigate The Risk

According to experts, the flaw may be exploited to carry out privilege escalation attacks in the context of the Aruba AirWave management platform Sudo's flaw is a heap-based buffer overflow that allows any local user to deceive Sudo to operate in shell mode. 

Researchers explain that when Sudo is executed in shell mode, it "escapes special characters in the command's parameters with a backslash." Then, a policy plug-in eliminates any escape characters before deciding on the Sudo user's permissions.” 

Users should upgrade to version 8.2.13.0 or above of HPE's AirWave management platform to mitigate the potential risk, according to HPE. Sudo issued a fix earlier this year as well, for HPE AirWave, a technical fix is also available:

“To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for AirWave be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above,” as per HPE.

HPE Patches the Zero-Day Vulnerabiity in Systems Insight Manager Software for Windows

 

Hewlett Packard Enterprise (HPE) has released a security update to patch critical zero-day remote code execution (RCE) vulnerability in its HPE Systems Insight Manager (SIM) software for Windows that it initially revealed in December 2020.

HPE updated its original security advisory on Wednesday. However, the SIM hotfix update kit which resolves the flaw was published more than a month ago, on April 20. HPE SIM is a management and remote support automation tool for Windows and Linux intended to be used with the company's servers, storage, and networking products, including the HPE ProLiant Gen10 and HPE ProLiant Gen9. 

Security researchers labeled the flaw (CVE-2020-7200) as an ‘extremely high-risk’ flaw. It allows attackers with no privileges to remotely execute the code and is commonly found in the latest versions (7.6.x) of HPE’s SIM software and specifically targets the Windows version. This bug allows low-complexity attacks that don’t require user interaction.

“This module exploits this vulnerability by leveraging an outdated copy of Commons Collection, namely 3.2.2, that ships with HPE SIM, to gain remote code execution as the administrative user running HPE SIM,” according to Packet Storm. The lack of proper validation of user-supplied data can lead to the deserialization of untrusted data, enabling attackers to execute code on servers running vulnerable SIM software.

HPE has released a security advisory for the system admins who are unable to deploy the CVE-2020-7200 security update on vulnerable systems. To safeguard your devices, HPE has provided mitigation measures that involve removing the “Federated Search” & “Federated CMS Configuration” features that allowed the vulnerability.

System admins who use the HPE SIM management software have to use the following procedure to block CVE-2020-7200 attacks: 

1. Stop HPE SIM Service 

2. Delete file from sim installed path del /Q /F C:\Program Files\HP\Systems Insight Manager\jboss\server\hpsim\deploy\simsearch.war 

3. Restart HPE SIM Service

4. Wait for HPE SIM web page "https://SIM_IP:50000" to be accessible and execute the following command from command prompt. mxtool -r -f tools\multi-cms-search.xml 1>nul 2>nul

By following the above procedures system admins can be prevented from being exploited by potential attackers, it will also mean that HPE SIM users can no longer use the federated search feature.

HP Enterprise Suffers Critical Bug, Requests Users To Update

 

Experts had already alarmed that HPE's (Hewlett Packard Enterprise) unpatched Edgeline Infrastructure Manager versions were vulnerable to remote authentication bypass breach. HP is requesting its customers to patch one of the company's top-class application management software that lets hackers launch a remote authentication bypass attack and gain access to customer's cloud infrastructure. The bug with a CVSS score of 9.8, is rated critical. It impacts all variants of HPE's EIM (Edgeline Infrastructure Manager) ahead of variant 1.21. 

The edge computing management suite of HPE, EIM is two years old. Users are advised to immediately install HPE EIM AV1.22 or later updates for bug fixes. In a security bulletin posted recently, HPE Product Security Response Team wrote, “a security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to the execution of arbitrary commands, gaining privileged access, causing a denial of service, and changing the configuration." 

About the bug 

Remote authentication-bypass vulnerability is related to a problem linked to how HPE manages reset passwords for admin accounts. If a user logs in for the first time with a default password for an active administrator account, he is asked to change the password for the account. It is carried out by sending a request to URL redfish/v1/SessionService/ResetPassword/1. But, when the password is changed, a malicious remote hacker can exploit the same URL to change the password for an administrator account. Next, the hacker has to simply log in with the updated admin account password by sending a request to a URL. 

After that, hackers can change the password of the OS root account by sending a request to URL /redfish/v1/AccountService/Accounts/1. "It allows the attacker to SSH to the EIM host as root. SSH stands for Secure Shell or Secure Socket Shell and is a network protocol that is most often used by system administrators for remote command-line requests, system logins, and also for remote command execution," reports threat post. Cybersecurity firm Tenable has also uploaded proof of the attack.

Hewlett Packard Enterprise and IBM Networks Breached by China; Clients Targeted




In order to gain access to the clients' computer, hackers of the China's Ministry of State Security breached the networks of Hewlett Packard Enterprise and IBM.

Being a part of the Chinese campaign Cloudhopper, the attacks tainted technology service providers in order to steal secrets from their clients. While the International Business Machines Corp said it had no proof regarding the sensitive corporate data being co promised, Hewlett Packard Enterprises (HPE) simply chose not to comment on the campaign.

Albeit multiple warnings were issued by numerous administration organizations in addition to many cybersecurity firms about the Cloudhopper danger since 2017, the identity of  the technology companies whose networks were imperilled has still not being revealed yet.

As indicated by a U.S. federal indictment of two Chinese nationals unsealed on the 20th of December, Cloudhopper was for the most part centered on targeting the MSPs in order to easily access the client networks and stealing corporate secrets from organizations around the world.

While both IBM and HPE refused to comment on the explicit claims made by the sources, however they did give a statement each,

"IBM has been aware of the reported attacks and already has taken extensive counter-measures worldwide as part of our continuous efforts to protect the company and our clients against constantly evolving threats. We take responsible stewardship of client data very seriously, and have no evidence that sensitive IBM or client data has been compromised by this threat."

HPE said,"The security of HPE customer data is our top priority. We are unable to comment on the specific details described in the indictment, but HPE's managed services provider business moved to DXC Technology in connection with HPE's divestiture of its Enterprise Services business in 2017." 

Reuters was neither able affirm the names of other breached technology firms nor recognize any affected users.

Cloudhopper, which has been focusing on technology services providers for quite a long while, is known to have been penetrated the systems of HPE and IBM on numerous occasions in breaches that have gone on for a considerable length of time.

While IBM examined an attack as of late as this mid-year, HPE was not far behind as it directed a huge breach investigation in mid-2017.