HP System Management Homepage < 7.2.1.0 Multiple Vulnerabilities (BEAST)

high Nessus Plugin ID 69020

Synopsis

The remote web server is affected by multiple vulnerabilities.

Description

According to the web server's banner, the version of HP System Management Homepage (SMH) hosted on the remote web server is a version prior to 7.2.1.0. It is, therefore, affected by the following vulnerabilities :

- An information disclosure vulnerability, known as BEAST, exists in the SSL 3.0 and TLS 1.0 protocols due to a flaw in the way the initialization vector (IV) is selected when operating in cipher-block chaining (CBC) modes. A man-in-the-middle attacker can exploit this to obtain plaintext HTTP header data, by using a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses the HTML5 WebSocket API, the Java URLConnection API, or the Silverlight WebClient API. (CVE-2011-3389)

- The utility 'apachectl' can receive a zero-length directory name in the LD_LIBRARY_PATH via the 'envvars' file. A local attacker with access to that utility could exploit this to load a malicious Dynamic Shared Object (DSO), leading to arbitrary code execution.
(CVE-2012-0883)

- Numerous, unspecified errors could allow remote denial of service attacks. (CVE-2012-2110, CVE-2012-2329, CVE-2012-2336, CVE-2013-2357, CVE-2013-2358, CVE-2013-2359, CVE-2013-2360)

- The fix for CVE-2012-1823 does not completely correct the CGI query parameter vulnerability. Disclosure of PHP source code and code execution are still possible.
Note that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php' is not an exploitable configuration.
(CVE-2012-2311, CVE-2012-2335)

- Unspecified errors exist that could allow unauthorized access. (CVE-2012-5217, CVE-2013-2355)

- Unspecified errors exist that could allow disclosure of sensitive information. (CVE-2013-2356, CVE-2013-2363)

- An unspecified error exists that could allow cross-site scripting attacks. (CVE-2013-2361)

- Unspecified errors exist that could allow a local attacker to cause denial of service conditions.
(CVE-2013-2362, CVE-2013-2364)

- An as-yet unspecified vulnerability exists that could cause a denial of service condition. (CVE-2013-4821)

Solution

Upgrade to HP System Management Homepage 7.2.1.0 or later.

See Also

https://www.imperialviolet.org/2011/09/23/chromeandbeast.html

https://www.openssl.org/~bodo/tls-cbc.txt

https://www.zerodayinitiative.com/advisories/ZDI-13-204/

http://www.nessus.org/u?2031110c

https://www.securityfocus.com/archive/1/528723/30/0/threaded

Plugin Details

Severity: High

ID: 69020

File Name: hpsmh_7_2_1_0.nasl

Version: 1.17

Type: remote

Family: Web Servers

Published: 7/23/2013

Updated: 12/5/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2012-2335

Vulnerability Information

CPE: cpe:/a:hp:system_management_homepage

Required KB Items: www/hp_smh

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/21/2013

Vulnerability Publication Date: 8/31/2011

Exploitable With

Core Impact

Metasploit (PHP apache_request_headers Function Buffer Overflow)

Reference Information

CVE: CVE-2011-3389, CVE-2012-0883, CVE-2012-2110, CVE-2012-2311, CVE-2012-2329, CVE-2012-2335, CVE-2012-2336, CVE-2012-5217, CVE-2013-2355, CVE-2013-2356, CVE-2013-2357, CVE-2013-2358, CVE-2013-2359, CVE-2013-2360, CVE-2013-2361, CVE-2013-2362, CVE-2013-2363, CVE-2013-2364, CVE-2013-4821

BID: 53158, 49778, 53388, 53455, 53046, 61332, 61333, 61335, 61336, 61337, 61338, 61339, 61340, 61341, 61342, 61343, 62622

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990

CERT: 895524

HP: HPSBMU02900, SSRT100696, SSRT100740, SSRT100835, SSRT100907, SSRT100992, SSRT101007, SSRT101076, SSRT101137, SSRT101150, SSRT101151, SSRT101209, SSRT101210, SSRT101254, emr_na-c03839862