Jump to content

Search the Community

Showing results for tags 'hp device manager'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Categories

  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions

Categories

  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 1 result

  1. Hidden database account discovered, no patches available yet, mitigations offered HP Device Manager, software that allows IT administrators to manage HP Thin Client devices, comes with a backdoor database user account that undermines network security, a UK-based consultant has warned. Nicky Bloor, founder of Cognitous Cyber Security, reports that an HP Inc programmer appears to have set up an insecure user account in a database within HP Device Manager (HPDM). He found that the account can be exploited to achieve privilege escalation and, in conjunction with other flaws, gain unauthorized remote command execution as SYSTEM. This is bad: if you can reach a vulnerable installation of this device manager on a network, you can gain admin-level control over its machine and the thin clients it controls. HPDM typically runs on a Windows-powered server, and directs multiple Windows clients. Bloor told The Reg on Tuesday he had been looking into the security of HPDM and spotted a series of weaknesses he was able to exploit. The most concerning of these, he said, was a backdoor database user account, which he identified by examining a log file included with the software. It appears this log file details operations performed on the device manager's PostgreSQL database during the software's development, revealing the existence of the hidden user account. "This was a privileged user account with a password consisting of a single space character," Bloor said. "The only reference to the user account was in a database log file included with the HP Device Manager software where log entries can be seen dating before I even installed the software." Bloor told us the log entries reveal a failed attempt to authenticate as the database user account used by HPDM. That's followed by a log entry associated with a new user account and what looks like the HP programmer trying to limit the backdoor user account from being used to create other new accounts, he said, as if the developer were trying to limit the security consequences of accessing the backdoor account. "Anyone with access to a server where HP Device Manager is installed could use this user account to gain complete control over the server," said Bloor, noting that this would qualify as local privilege escalation. "However, I managed to find additional vulnerabilities in HP Device Manager's default configuration that mean the vulnerability can be exploited remotely so that anyone who can connect to a server that's running HPDM can gain complete control of that server," he said. "From there, HPDM provides full administrative control over the HP thin clients in the environment." Bloor said this vulnerability is present in current versions of the HPDM software, and he's not sure which previous versions of software might be affected. He added that he contacted HP on August 3, 2020, to disclose details about the vulnerabilities, and asked the IT giant to confirm it understood the implications of the flaw, to propose how it intended to resolve the issue, and to provide a reasonable timeframe to implement the fix. HP was unresponsive, he said, until he explained that he planned to publish details in 30 days if the corporation continued to stonewall. At that point, he said, HP replied to say the industry standard for coordinated disclosure of vulnerabilities is 90 days and to ask for that much time to produce a fix, without answering any of Bloor's questions. That was on August 19, 2020. At that point, Bloor said, HP hadn't confirmed it had reviewed and understood the vulnerability reports, and hadn't proposed any mitigation nor resolution timeline. Bloor was not inclined to just wait around for HP. "I'm paid to help people secure their IT environments and applications, but I also don't have the time to waste chasing HP and hoping that someday in '90+ days' they will produce a patch that will help me to secure my clients' environments," he said. "The fix for the most severe part of the issue is trivial so 90+ days is a joke." To underscore how easy the issue is to fix, he described the process in a series of tweets. In an email to The Register on Tuesday night, HP acknowledged the security blunder – assigning it multiple vulnerability IDs: CVE-2020-6925 (weak cipher), CVE-2020-6926 (remote method invocation), and CVE-2020-6927 (elevation of privilege) – and said it has now published an advisory to alert customers. That CVE-2020-6926 flaw is a 9.9 out of 10 in terms of CVSS severity, by the way. Sysadmins are urged to update to HP Device Manager 5.0.4, or HP Device Manager 4.7 Service Pack 13 when it is available, to address the flaws. Source
×
×
  • Create New...