HP MFP Digital Sending Software 4.91.0 Local Authentication Bypass

low Nessus Plugin ID 52614

Synopsis

The remote Windows host contains an application that is affected by an authentication bypass vulnerability.

Description

The remote Windows host contains HP MFP Digital Sending Software version 4.91.0. This version is potentially affected by an authentication bypass vulnerability related to device configuration templates.

A local attacker, exploiting this flaw, reportedly can gain unauthorized access to functionality of an HP Multifunction Peripheral (MFP) that is controlled by the HP MFP Digital Sending Software.

Note: the provided solution is needed only if authentication is required and the previous device configuration template did not include authentication settings.

Solution

At the time of this writing, a patch has not been provided by the vendor. However, a workaround has been provided by the vendor:

- Require authentication for all device templates.

- For all devices previously configured via device templates, reconfigure the devices with these revised templates.

See Also

http://www.nessus.org/u?f019df14

https://seclists.org/bugtraq/2011/Mar/57

Plugin Details

Severity: Low

ID: 52614

File Name: hp_mfp_dss_4_91_0.nasl

Version: 1.9

Type: local

Agent: windows

Family: Windows

Published: 3/10/2011

Updated: 11/15/2018

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Low

Base Score: 2.1

Temporal Score: 1.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:hp:multifunction_peripheral_digital_sending_software

Required KB Items: SMB/HP_MFP_DSS/Version

Exploit Ease: No known exploits are available

Patch Publication Date: 3/2/2011

Vulnerability Publication Date: 3/2/2011

Reference Information

CVE: CVE-2011-0279

BID: 46679

Secunia: 43618