Izdana je preporuka vezana uz programski paket HP SMH (ystem Management Homepage) koja korisnike upozorava na propust koji je udaljenom napadač omogućavao otkrivanje i izmjenu osjetljivih informacija.

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03164351

Version: 1
HPSBMU02742 SSRT100740 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote Unauthorized Disclosure of Information
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2012-02-08

Last Updated: 2012-02-08

Potential Security Impact: Remote unauthorized disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY

A potential security vulnerability has been identified with HP System Management Homepage (SMH) for Linux and Windows. The vulnerability could be exploited remotely resulting in unauthorized disclosure of information.

References: CVE-2011-3389, CERT VU#864643
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.


HP System Management Homepage for Linux and Windows, all versions
BACKGROUND

For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
CVSS 2.0 Base Metrics
Reference
	
Base Vector
	
Base Vector
CVE-2011-3389
	
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
	
4.3


Information on CVSS is documented in HP Customer Notice: HPSN-2008-002
RESOLUTION

CERT VU#864643 documents workarounds.

Prioritize RC4 Ciphers over CBC Ciphers

The vulnerability can be worked around by prioritizing RC4 ciphers over CBC ciphers.

By default SMH already does prioritize the RC4 ciphers over CBC ciphers. The default configuration is:

'ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:-SSLv2:+EXP:-LOW:+eNULL'

The list of available ciphers in SMH can be further restricted. The following command specifies only one cipher:

smhconfig -Z 'RC4-SHAâ