HP System Management Homepage Remote Unauthorized Access -------------------------------------------------------- [Vulnerability]: Remote Authentication Bypass [Product]: CompaqHTTPServer/9.9 HP System Management Homepage 2.1.3.132 and above [Platform]: Microsoft® Windows® - Linux operating systems (IA32 and Itanium Processor Family) - Tru64 UNIX v5.1A and above (according to HP) [Reference(s)]: http://src.telindus.com/articles/hpsm_vulnerability.html [Date]: Feb 20 2006 [Date of report to vendor]: Dec 12 2005 -------------------------------------------------------- [Vulnerability summary]: The HP System Management Homepage is a web-based interface that consolidates and simplifies the management of individual ProLiant and Integrity servers running Microsoft Windows or Linux operating systems. By aggregating data from HP Insight Management Agents and other management tools, the System Management Homepage provides a secure and intuitive interface to review in-depth hardware configuration and status data, performance metrics, system thresholds and software version control information. The System Management Homepage can also be used to access the HP Lights-Out Management processor on ProLiant and Integrity servers. (http://h18004.www1.hp.com/products/servers/management/agents/). Access to HP System Management Homepage requires credentials posting ; with the trust mode settled to "Trust All" configuration, this authentication can be bypassed by sending a crafted URL. Therefore, a potential aggressor can manage vulnerable host (modification of hardware configuration, of tasks, of allowed IP range, shutdown, etc. and many actions from there such as surrounding network attacks). [Vulnerability impact]: Remote administration throught web management interface (modification of hardware configuration, of tasks, of allowed IP range, shutdown, etc., and many actions from there such as surrounding network attacks) ---------------------------------------------------------------------- [Vendor fix]: None [Vendor response]: [..] Set the Trust level to "Trust by Certificates". This way only SIM servers with the appropriate level of access can do any access with STE or SSO. This will not prevent an administrator from logging into the SMH either remotely or locally. The SMH and SIM documentation have more information on Trust Levels. The SMH Security setup selection for trusts indicates that the only recommended and truly secure trust level is by certificates. http://www.hp.com/wwsolutions/misc/hpsim-helpfiles/mxhelp/mxportal/en/admin_security_about_secureTaskExecution.html#N1004B (STE definition) ---------------------------------------------------------------------- [Reported by]: TELINDUS SRC (Grégoire DE BACKER)