Otkrivena je sigurnosna ranjivost vezana uz HP StorageWorks Modular Smart Array P2000 G3 koju udaljeni zlonamjerni korisnik može iskoristiti za izvršavanje proizvoljnog programskog koda.
Paket:
HP StorageWorks Modular Smart Array P2000
Operacijski sustavi:
HP-UX 11.x, Microsoft Windows Server 2003, Microsoft Windows Server 2008, OpenVMS 4.x, Red Hat Enterprise Linux 4, Red Hat Enterprise Linux 5, Sun Solaris 10, SUSE Linux Enterprise Server (SLES) 10, SUSE Linux Enterprise Server (SLES) 11, VMware ESX Server 4.x, VMware ESXi 4.x, VMware ESXi 5.x
Problem:
pogreška u programskoj komponenti
Iskorištavanje:
udaljeno
Posljedica:
proizvoljno izvršavanje programskog koda
Rješenje:
zaobilazno rješenje (workaround)
CVE:
CVE-2011-4788
Izvorni ID preporuke:
HPSBST02735
Izvor:
Hewlett Packard
Problem:
Nije objavljeno što uzrokuje propust.
Posljedica:
Udaljeni napadač može iskoristiti navedeni propust za pokretanje zlonamjernog programskog koda.
Rješenje:
Preporuča se pregled originalne preporuke kako bi korisnici otkrili na koji se način otklanja ranjivost.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03153338
Version: 1
HPSBST02735 SSRT100516 rev.1 - HP StorageWorks Modular Smart Array P2000 G3, Remote Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2012-01-13
Last Updated: 2012-01-13
Potential Security Impact: Remote execution of arbitrary code
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP StorageWorks Modular Smart Array P2000 G3. This vulnerability could be exploited to allow remote execution of arbitrary code.
References: CVE-2011-4788, ZDI-12-015
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP StorageWorks Modular Smart Array P2000 G3 - all release firmware revisions before TS230P008.
Hardware or Software Platforms Affected
BV913A HP P2000 G3 FC MSA DC w/12 300GB 6G SAS 10K SFF HDD 3.6TB Bundle
BV914A HP P2000 G3 FC MSA DC w/12 600GB 6G SAS 10K SFF HDD 7.2TB Bundle
BV901A HP P2000 G3 FC MSA DC w/24 146GB 6G SAS 15K SFF HDD 3.5TB Bundle
BV902A HP P2000 G3 FC MSA DC w/24 300GB 6G SAS 10K SFF HDD 7.2TB Bundle
BV903A HP P2000 G3 FC MSA DC w/24 600GB 6G SAS 10K SFF HDD 14.4TB Bundle
BV915A HP P2000 G3 FC/iSCSI MSA DC w/12 300GB 6G SAS 10K SFF HDD 3.6TB
BV916A HP P2000 G3 FC/iSCSI MSA DC w/12 600GB 6G SAS 10K SFF HDD 7.2TB Bundle
BV904A HP P2000 G3 FC/iSCSI MSA DC w/24 146GB 6G SAS 15K SFF HDD 3.5TB Bundle
BV905A HP P2000 G3 FC/iSCSI MSA DC w/24 300GB 6G SAS 10K SFF HDD 7.2TB Bundle
BV906A HP P2000 G3 FC/iSCSI MSA DC w/24 600GB 6G SAS 10K SFF HDD 14.4TB Bundle
BV917A HP P2000 G3 SAS MSA DC w/12 300GB 6G SAS 10K SFF HDD 3.6TB Bundle
BV918A HP P2000 G3 SAS MSA DC w/12 600GB 6G SAS 10K SFF HDD 7.2TB Bundle
BV907A HP P2000 G3 SAS MSA DC w/24 146GB 6G SAS 15K SFF HDD 3.5TB Bundle
BV908A HP P2000 G3 SAS MSA DC w/24 300GB 6G SAS 10K SFF HDD 7.2TB Bundle
BV909A HP P2000 G3 SAS MSA DC w/24 600GB 6G SAS 10K SFF HDD 14.4TB Bundle
BV919A HP P2000 G3 iSCSI MSA DC w/12 300GB 6G SAS 10K SFF HDD 3.6TB Bundle
BV920A HP P2000 G3 iSCSI MSA DC w/12 600GB 6G SAS 10K SFF HDD 7.2TB Bundle
BV910A HP P2000 G3 iSCSI MSA DC w/24 146GB 6G SAS 15K SFF HDD 3.5TB Bundle
BV911A HP P2000 G3 iSCSI MSA DC w/24 300GB 6G SAS 10K SFF HDD 7.2TB Bundle
BV912A HP P2000 G3 iSCSI MSA DC w/24 600GB 6G SAS 10K SFF HDD 14.4TB Bundle
AW596A HP StorageWorks P2000 G3 10GbE iSCSI MSA Dual Controller LFF Array System
AW597A HP StorageWorks P2000 G3 10GbE iSCSI MSA Dual Controller SFF Array System
AP847A HP StorageWorks P2000 G3 FC MSA Dual Controller Small Business SAN Starter Kit
AP848A HP StorageWorks P2000 G3 FC MSA Dual Controller Virtualization SAN Starter Kit
BK816A HP StorageWorks P2000 G3 FC/iSCSI w/24 300GB 6G SAS 10K SFF DP 7.2K 7.2TB Bundle
BK746SB HP StorageWorks P2000 G3 MSA FC Dual Controller LFF Array Starter Kit/S-Buy
AP845A HP StorageWorks P2000 G3 MSA FC Dual Controller LFF Modular Smart Array System
BK747SB HP StorageWorks P2000 G3 MSA FC Dual Controller SFF Array Starter Kit/S-Buy
AP846A HP StorageWorks P2000 G3 MSA FC Dual Controller SFF Modular Smart Array System
AW567A HP StorageWorks P2000 G3 MSA FC/iSCSI Dual Combo Controller LFF Array
AW568A HP StorageWorks P2000 G3 MSA FC/iSCSI Dual Combo Controller SFF Array
BK748SB HP StorageWorks P2000 G3 MSA FC/iSCSI Dual Combo LFF Array Starter Kit/S-Buy
BK749SB HP StorageWorks P2000 G3 MSA FC/iSCSI Dual Combo SFF Array Starter Kit/S-Buy
AW593A HP StorageWorks P2000 G3 SAS MSA Dual Controller LFF Array System
AW594A HP StorageWorks P2000 G3 SAS MSA Dual Controller SFF Array System
BV842A HP StorageWorks P2000 G3 SAS w/24 300GB 6G SAS 10K SFF DP 10K 7.2TB Bundle
BK830A HP StorageWorks P2000 G3 iSCSI MSA Dual Controller LFF Array System
BK831A HP StorageWorks P2000 G3 iSCSI MSA Dual Controller SFF Array System
BACKGROUND
For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
CVSS 2.0 Base Metrics
Reference
Base Vector
Base Score
CVE-2011-4788
(AV:N/AC:L/Au:N/C:C/I:P/A:P)
9.0
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002
RESOLUTION
The vulnerability can be resolved by the following procedure:
Disable the array's HTTP and HTTPS network management services (Note: This will also disable all management access from a Web browser. Array management access may be maintained via Command Line Interface [CLI].) Use the instructions outlined in the Workaround section below to disable the HTTP and HTTPS network management services.
Install TS230P008 firmware as soon as possible. If the HTTP and HTTPS network management services have been previously disabled, the services may be re-enabled as the issue is fully resolved in TS230P008 firmware.
TS230P008 firmware installation and workaround instructions:
Go to http://www.hp.com/support/storage
Under Disk Storage Systems, click P2000/MSA Disk Arrays .
Click HP P2000 G3 MSA Array Systems , then click Download drivers and software .
Select your product and operating system.
Click Firmware - Storage Controller .
In the Description column of the table, click the title of the firmware:
To download the firmware, click Download .
To read the release notes, click the Release Notes tab.
Note: If you have trouble finding your product, drivers, or software, use the Product Search function from http://www.hp.com/support/downloads and enter your product number.
Before running the TS230P008 Smart Component, verify that both the telnet and FTP options are enabled on the array to allow the Smart Component to run successfully.
Workaround
Disable the HTTP/HTTPS service protocols:
Note:
Disabling the HTTP/HTTPS services will disable the Storage Management Utility (SMU), including Web access to manage the system. All management must be performed by CLI telnet. If the system can not be accessed through CLI telnet, upgrade the system to TS230P008 to resolve this issue.
Any scripts requiring HTTP or HTTPS access will no longer function with HTTP or HTTPS disabled.
To disable the HTTP/HTTPS service protocols, enter the following command at the CLI prompt:
# set protocols http disabled https disabled
Success: Command completed successfully.
The HTTP and HTTPS services must be re-enabled to resume SMU access.
To re-enable the HTTP or HTTPS protocols, enter the following command at the CLI prompt:
# set protocols http enabled https enabled
Success: Command completed successfully.
HISTORY
Version:1 (rev.1) - 13 January 2012 Initial Release
Posljednje sigurnosne preporuke