Detections
Analytics

HPE MSA Storage Session Reuse (HPESBST03940)

critical Nessus Plugin ID 179601

Language:

Synopsis

The remote storage device is affected by a session reuse vulnerability.

Description

The version of HPE MSA Storage installed on the remote host is prior to GL225P002-02, VE270P002-02, or VL270P002-02. It is, therefore, affected by a vulnerability as referenced in the HPESBST03940 advisory.

 - A remote session reuse vulnerability leading to access restriction bypass was discovered in HPE MSA 2040 SAN Storage; HPE MSA 1040 SAN Storage;
 HPE MSA 1050 SAN Storage; HPE MSA 2042 SAN Storage;
 HPE MSA 2050 SAN Storage; HPE MSA 2052 SAN Storage version(s): GL225P001 and earlier; GL225P001 and earlier; VE270R001-01 and earlier; GL225P001 and earlier; VL270R001-01 and earlier; VL270R001-01 and earlier.
 (CVE-2019-12002, CVE-2019-12001)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update to HPE MSA 1040 firmware version GL225P002-02, HPE MSA 2040 firmware version GL225P002-02, HPE MSA 2042 firmware version GL225P002-02, HPE MSA 1050 firmware version VE270P002-02, HPE MSA 2050 firmware version VL270P002-02, HPE MSA 2052 firmware version VL270P002-02 or later.

See Also

http://www.nessus.org/u?65ff3d83

Plugin Details

Severity: Critical

ID: 179601

File Name: hpe_msa_storage_HPESBST03940.nasl

Version: 1.1

Type: remote

Family: CGI abuses

Published: 8/9/2023

Updated: 8/10/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2019-12002

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/h:hpe:msa_2052, cpe:/o:hpe:msa_1050_firmware, cpe:/h:hpe:msa_2042, cpe:/o:hpe:msa_2050_firmware, cpe:/h:hpe:msa_1050, cpe:/o:hpe:msa_2042_firmware, x-cpe:/o:hpe:msa, cpe:/h:hpe:msa_1040, cpe:/h:hpe:msa_2050, x-cpe:/h:hpe:msa, cpe:/h:hpe:msa_2040, cpe:/o:hpe:msa_1040_firmware, cpe:/o:hpe:msa_2040_firmware, cpe:/o:hpe:msa_2052_firmware

Required KB Items: installed_sw/HPE MSA Storage

Exploit Ease: No known exploits are available

Patch Publication Date: 4/1/2020

Vulnerability Publication Date: 4/1/2020

Reference Information

CVE: CVE-2019-12001, CVE-2019-12002