U radu programskog paketa HP Discovery & Dependency Mapping Inventory je uočena sigurnosna ranjivost. Radi se o paketu koji se koristi za optimizirano upravljanje pisačima, poslužiteljima i mrežnim uređajima. Sigurnosna nepravilnost nastaje jer je SNMP zajednički znakovni niz (eng. community string) definiran kao "public". Ukoliko udaljeni napadač pokuša iskoristiti ranjivost, može ostvariti pristup osjetljivim podacima. Nove inačice paketa sadrže ispravke opisane ranjivosti koje se savjetuju na pravovremenu instalaciju u svrhu zaštite.

HP Discovery & Dependency Mapping Inventory SNMP Configuration Issue

VUPEN ID 	VUPEN/ADV-2011-0755
CVE ID 	CVE-2011-0890
 
CWE ID 	Available in VUPEN VNS Customer Area
CVSS V2 	Available in VUPEN VNS Customer Area
Rated as 	Moderate Risk 
Impact 	Available in VUPEN VNS Customer Area
Authentication Level 	Available in VUPEN VNS Customer Area
Access Vector 	Available in VUPEN VNS Customer Area
Release Date 	2011-03-24
Share 	Twitter LinkedIn Facebook Delicious Digg Slashdot

Technical Description

A vulnerability has been identified in HP Discovery & Dependency Mapping Inventory (DDMI), which could be exploited by remote attackers to gain knowledge of sensitive information. This issue is caused due to the SNMP read community string being set to "public", which could be exploited remotely to allow unauthorized read-only access to the data available via the SNMP protocol.

Affected Products

HP Discovery & Dependency Mapping Inventory (DDMI) version 7.50
HP Discovery & Dependency Mapping Inventory (DDMI) version 7.51
HP Discovery & Dependency Mapping Inventory (DDMI) version 7.60
HP Discovery & Dependency Mapping Inventory (DDMI) version 7.61
HP Discovery & Dependency Mapping Inventory (DDMI) version 7.70
HP Discovery & Dependency Mapping Inventory (DDMI) version 9.30

Solution 

Modify the value of the SNMP read community string :
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02757867

References

http://www.vupen.com/english/advisories/2011/0755
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02757867

Credits 

Vulnerability reported by the vendor.

Changelog 

2011-03-24 : Initial release