HP System Management Homepage < 184.108.40.206 AddCertsToTrustCfgList DoS
Low Nessus Plugin ID 91260
SynopsisAn application running on the remote web server is affected by a denial of service vulnerability.
DescriptionThe version of HP System Management Homepage (SMH) hosted on the remote web server is prior to 220.127.116.11. It is, therefore, affected by a flaw in the AddCertsToTrustCfgList() function within file mod_smh_config.so due to improper extraction of the common name in the subject when processing X.509 certificates. An unauthenticated, remote attacker can exploit this issue, via a crafted certificate, to cause a denial of service condition. Note that to exploit this vulnerability, the 'Trust Mode' setting must be configured with 'Trust All', the 'IP Restricted login' setting must allow the attacker to access SMH, and the 'Kerberos Authorization' (Windows only) setting must be disabled.
SolutionUpgrade to HP System Management Homepage (SMH) version 18.104.22.168 or later.