HP System Management Homepage < AddCertsToTrustCfgList DoS

Low Nessus Plugin ID 91260


An application running on the remote web server is affected by a denial of service vulnerability.


The version of HP System Management Homepage (SMH) hosted on the remote web server is prior to It is, therefore, affected by a flaw in the AddCertsToTrustCfgList() function within file mod_smh_config.so due to improper extraction of the common name in the subject when processing X.509 certificates. An unauthenticated, remote attacker can exploit this issue, via a crafted certificate, to cause a denial of service condition. Note that to exploit this vulnerability, the 'Trust Mode' setting must be configured with 'Trust All', the 'IP Restricted login' setting must allow the attacker to access SMH, and the 'Kerberos Authorization' (Windows only) setting must be disabled.


Upgrade to HP System Management Homepage (SMH) version or later.

See Also


Plugin Details

Severity: Low

ID: 91260

File Name: hpsmh_7_5_4_3.nasl

Version: $Revision: 1.2 $

Type: remote

Family: Web Servers

Published: 2016/05/19

Modified: 2016/05/20

Dependencies: 11936, 10746

Risk Information

Risk Factor: Low


Base Score: 2.6

Temporal Score: 2.1

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:ND

Vulnerability Information

CPE: cpe:/a:hp:system_management_homepage

Required KB Items: www/hp_smh, Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/04/01

Vulnerability Publication Date: 2016/05/05

Reference Information

OSVDB: 138445

TRA: TRA-2016-14