U radu programskog paketa HP System Management Homepage uočeno je više sigurnosnih nedostataka. Potencijalni napadači propuste mogu iskoristiti za DoS napad, proizvoljno izvršavanje programskog koda i otkrivanje osjetljvih informacija.
Paket:
HP System Management Homepage 7.x
Operacijski sustavi:
HP-UX 11.x, Microsoft Windows XP, Microsoft Windows Vista, Microsoft Windows 7
Kritičnost:
7.5
Problem:
cjelobrojno prepisivanje, pogreška u programskoj funkciji, pogreška u programskoj komponenti
Ranjivosti su posljedica grešaka u komponentama "libxml2", "include/iniset.php", "scoreboard.c", "mod_proxy", implementacijama komponenti DTLS, PHP, SSL, OpenSSL, SGC (eng. Server Gated Cryptography), funkcijama "is_a", "ap_pregsub", "log_cookie" te cjelobrojnih prepisivanja.
Posljedica:
Zlonamjeran napadač navedene nedostatke može iskoristiti za napad uskraćivanjem usluga (eng. Denial of Service, DoS), pokretanje proizvoljnog programskog koda i pregled povjerljivih podataka.
Rješenje:
Korisnicima se savjetuje korištenje nove inačice programskog paketa.
HP System Management Homepage Multiple Vulnerabilities
Secunia Advisory SA49592
Release Date 2012-06-27
Criticality level Highly criticalHighly critical
Impact System access
Where From remote
Authentication level Available in Customer Area
Report reliability Available in Customer Area
Solution Status Vendor Patch
Systems affected Available in Customer Area
Approve distribution Available in Customer Area
Software:
HP System Management Homepage 7.x
Secunia CVSS Score Available in Customer Area
CVE Reference(s) CVE-2011-1944 CVSS available in Customer Area
CVE-2011-2821 CVSS available in Customer Area
CVE-2011-2834 CVSS available in Customer Area
CVE-2011-3379 CVSS available in Customer Area
CVE-2011-3607 CVSS available in Customer Area
CVE-2011-4078 CVSS available in Customer Area
CVE-2011-4108 CVSS available in Customer Area
CVE-2011-4153 CVSS available in Customer Area
CVE-2011-4317 CVSS available in Customer Area
CVE-2011-4415 CVSS available in Customer Area
CVE-2011-4576 CVSS available in Customer Area
CVE-2011-4577 CVSS available in Customer Area
CVE-2011-4619 CVSS available in Customer Area
CVE-2011-4885 CVSS available in Customer Area
CVE-2012-0021 CVSS available in Customer Area
CVE-2012-0027 CVSS available in Customer Area
CVE-2012-0031 CVSS available in Customer Area
CVE-2012-0036 CVSS available in Customer Area
CVE-2012-0053 CVSS available in Customer Area
CVE-2012-0057 CVSS available in Customer Area
CVE-2012-0830 CVSS available in Customer Area
CVE-2012-1165 CVSS available in Customer Area
CVE-2012-1823 CVSS available in Customer Area
CVE-2012-2012 CVSS available in Customer Area
CVE-2012-2013 CVSS available in Customer Area
CVE-2012-2014 CVSS available in Customer Area
CVE-2012-2015 CVSS available in Customer Area
CVE-2012-2016 CVSS available in Customer Area
Description
Multiple vulnerabilities have been reported in HP System Management Homepage, where some have unknown impacts and others can be exploited by malicious, local users to gain escalated privileges and cause a DoS (Denial of Service) and by malicious people to disclose potentially sensitive information, hijack a user's session, cause a DoS (Denial of Service), bypass certain security restrictions, manipulate certain data, and compromise a vulnerable system.
1) An unspecified error can be exploited to cause a crash. No further information is currently available.
2) An unspecified error with an unknown impact related to input validation exists. No further information is currently available.
3) An unspecified error can be exploited to gain escalated privileges. No further information is currently available.
4) An unspecified error can be exploited to disclose sensitive information. No further information is currently available.
5) The application bundles vulnerable versions of Libxml2, PHP, Apache, OpenSSL, and cURL:
For more information:
SA44711
SA45793
SA46107
SA46632
SA46823
SA46958
SA47404
SA47426
SA47690
SA47806
SA49014
The vulnerabilities are reported in versions prior to 7.1.1.
Solution
Update to version 7.1.1.
Provided and/or discovered by
1-4) Reported by the vendor.
Original Advisory
HPSBMU02786 SSRT100877:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?c03360041
Posljednje sigurnosne preporuke