HP Device Manager Multiple Vulnerabilities (CVE-2020-6925, CVE-2020-6926, CVE-2020-6927)

Posted by Author Pallavi Pangavhane on Posted on
Overview 

On 25 September 2020, HP released an advisory to address multiple vulnerabilities (CVE-2020-6925, CVE-2020-6926, and CVE-2020-6927) in the HP Device Manager. Successful exploitation of these vulnerabilities could lead to dictionary attacks, unauthorized remote access to resources, and elevation of privilege. 

Description 

CVE-2020-6925 – This vulnerability exists due to weak cipher implementation in HP Device Manager. It may allow dictionary attacks against locally managed accounts in HP Device ManagerCustomers will not be affected by this vulnerability, if they are using Active Directory authenticated accounts. 

CVE-2020-6926 – This is the most severe vulnerability existing in all versions of HP Device Manager. This flaw allows remote unauthenticated attackers to gain access to resources.

CVE-2020-6927 – This is a privilege escalation vulnerability that allows an attacker to gain the SYSTEM privilege of an affected device. Customers will not be affected by this vulnerability, if they are using an external database (Microsoft SQL Server) and have not installed the integrated Postgres service.

Infosec researcher Nick Bloor, who discovered these vulnerabilities, says in his tweet, “Combined with some other vulnerabilities this leads to unauthenticated remote code execution as SYSTEM”The researcher has combined two vulnerabilities (CVE-2020-6926, CVE-2020-6927) to gain the SYSTEM level privilege on remote target.    

Image SourceNick Bloor 

CVE ID Impacted Version
CVE-2020-6925 All versions of HP Device Manager
CVE-2020-6926 All versions of HP Device Manager
CVE-2020-6927 HP Device Manager 5.0.0
HP Device Manager 5.0.1
HP Device Manager 5.0.2
HP Device Manager 5.0.3
Mitigation

HP Device Manager users can partially mitigate this issue in any of the following ways:

  • Limit incoming access to Device Manager ports 1099 and 40002 to trusted IPs or localhost only
  • Remove the dm_postgres account from the Postgres database; or
  • Update the dm_postgres account password within HP Device Manager Configuration Manager; or
  • Within the Windows Firewall configuration, create an inbound rule to configure the PostgreSQL listening port (40006) for localhost access only.
Product Updated
HP Device Manager 5.0 HP Device Manager 5.0.4
HP Device Manager 4.7 To be released: HP Device Manager 4.7 Service Pack 13
Qualys Detection 

Qualys customers can scan their network with QID 373524, 373525 to detect the vulnerable assets. Kindly continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities. 

References 

 

Leave a Reply

Your email address will not be published. Required fields are marked *