HPE Fixes Critical Zero-Day in Server Management Software
#1
Information 
Quote:Hewlett Packard Enterprise (HPE) has fixed a critical zero-day remote code execution (RCE) flaw in its HPE Systems Insight Manager (SIM) software for Windows that it originally disclosed in December.
 
HPE SIM is a tool that enables remote support automation and management for a variety of HPE servers, including the HPE ProLiant Gen10 and HPE ProLiant Gen9, as well as for storage and networking products.
 
The company updated its initial security advisory on Thursday. More than a month ago, on April 20, HPE had issued an earlier SIM hotfix update kit that resolves the vulnerability.
 
This is an extremely high-risk flaw that can enable attackers with no privileges to remotely execute code: Tracked as CVE-2020-7200, it’s rated 9.8 out of a maximum 10. It’s found in the latest versions (7.6.x) of HPE’s SIM software and only affects the Windows version.
 
This bug allows low-complexity attacks that don’t require user interaction. As Packet Storm has explained, it allows attackers to execute code within the context of HPE SIM’s hpsimsvc.exe process, which runs with administrative privileges.
 
The problem stems from a failure to validate data during the deserialization process when a user submits a POST request to the /simsearch/messagebroker/amfsecure page. “This module exploits this vulnerability by leveraging an outdated copy of Commons Collection, namely 3.2.2, that ships with HPE SIM, to gain remote code execution as the administrative user running HPE SIM,” according to Packet Storm. The lack of proper validation of user-supplied data can lead to the deserialization of untrusted data, enabling attackers to execute code on servers running vulnerable SIM software.

Read more: HPE Fixes Critical Zero-Day in SIM | Threatpost
[-] The following 1 user says Thank You to silversurfer for this post:
  • harlan4096
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
uBOLite_2024.12.23.23
uBOLite_2024.12.23...harlan4096 — 10:29
You found a seed phrase from someone els...
Scammers have inve...harlan4096 — 09:58
Google files remedies proposal in DOJ's ...
The U.S. Departmen...harlan4096 — 09:48
PowerToys 0.87.1
PowerToys 0.87.1 ...harlan4096 — 09:46
GFYI [Official] EaseUS Christmas 2024 B...
Merry Christmas and ...zevish — 08:07

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>