HP has issued an alert warning of vulnerabilities in its HP Device Manager software which could allow an attacker to gain complete control over the server. With a CVSS score of 9.9 this vulnerability deserves prompt attention from Sys Admins responsible for HP servers.
The HP alert describes three different vulnerabilities that together mean the software is: “Susceptibility to dictionary attacks, unauthorized remote access to resources, and elevation of privilege.” The root problem is a user account with a blank password left in the default supplied PostgreSQL database by the developer – so any attacker which can connect to the PostgreSQL database over the network can login with elevated privileges and pivot to attack the server.
HP have not yet issued patches for these vulnerabilities but have provide mitigation steps that should be considered now:
- Limit incoming access to Device Manager ports 1099 and 40002 to trusted IPs or localhost only
- Remove the dm_postgres account from the Postgres database; or
- Update the dm_postgres account password within HP Device Manager Configuration Manager; or
- Within Windows Firewall configuration create an inbound rule to configure the PostgreSQL listening port (40006) for localhost access only.
HP is not alone in having problems keeping server management subsystems secure. These maintenance and remote management tools are powerful and need to be carefully secured to ensure only authorised staff can access them through trusted routes.
Best practices for securing system management interfaces include:
- Isolate them on a separate management network, they are not designed nor intended to be placed on, nor connected directly to the Internet.
- Usually a dedicated Ethernet port is provided for hardware management interfaces – connect it directly to a separate management network segment which is isolated using firewalls and restricts access only to authorised users. For software based systems, bind them to a dedicate ethernet port if possible and connect it to a separate management network segment.
- Create new user accounts and disable the default vendor supplied user account (which is usually well known or easily discoverable)