U radu programskog paketa HP Insight Management Agents uočeno je više sigurnosnih propusta. Udaljeni ih napadač može iskoristiti za dobivanje većih privilegija, umetanje HTML i skriptnog koda, izmjenu podataka te napad uskraćivanjem usluga (DoS).
Paket:
Operacijski sustavi:
Microsoft Windows Server 2003, Microsoft Windows Server 2008
Sigurnosni propusti se javljaju zbog neodgovarajućeg rukovanja URL adresama, CSRF (eng. Cross-site request forgery) i XSS (eng. Cross-site scripting) ranjivosti, te nespecificiranih pogrešaka.
Posljedica:
Udaljeni napadač navedene propuste može iskoristiti za DoS (eng. Denial of Service) napad, proizvoljno izvršavanje HTML i skriptnog koda, izmjenu podataka te dobivanje većih ovlasti u sustavu.
Rješenje:
Svim se korisnicima navedenog programskog paketa, u svrhu zaštite sigurnosti, savjetuje njegova nadogradnja na novije inačice.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03301267
Version: 1
HPSBMU02770 SSRT100848 rev.1 - HP Insight Management Agents for Windows Server, Remote Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS), URL Redirection, Unauthorized Modification, Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2012-05-01
Last Updated: 2012-05-01
Potential Security Impact: Remote cross site request forgery (CSRF), cross site scripting (XSS), URL redirection, unauthorized modification, Denial of Service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Insight Management Agents for Windows Server. The vulnerabilities could be exploited remotely resulting in cross site request forgery (CSRF), cross site scripting (XSS), URL redirection, unauthorized modification, and Denial of Service (DoS).
References: CVE-2012-2003 (CSRF), CVE-2012-2004 (URL redirection), CVE-2012-2005 (XSS), CVE-2012-2006 (unauthorized modification), SSRT100160, SSRT100456, SSRT100812, SSRT100813
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Insight Management Agents for Windows Server before v9.0.0.0
BACKGROUND
For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
CVSS 2.0 Base Metrics
Reference
Base Vector
Base Score
CVE-2012-2003
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
6.8
CVE-2012-2004
(AV:N/AC:M/Au:N/C:C/I:P/A:P)
8.3
CVE-2012-2005
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
4.3
CVE-2012-2006
(AV:N/AC:M/Au:S/C:N/I:P/A:P)
4.9
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has provided the following updates to resolve the vulnerabilities.
HP Insight Management Agents for Windows Server 2003/2008 v9.0.0.0 or subsequent
cp014537.exe
HP Insight Management Agents for Windows Server 2003/2008 x64 v9.0.0.0 or subsequent
cp014538.exe
The updates are part of the HP ProLiant Support Pack (PSP) v9.0, available here:
http://h20000.www2.hp.com/bizsupport/TechSupport/DriverDownload.jsp?lang=en&cc=us&prodNameId=3716247&taskId=135&prodTypeId=18964&prodSeriesId=3716246&lang=en&cc=us
HISTORY:
Version:1 (rev.1) 1 May 2012 Initial release
Posljednje sigurnosne preporuke