Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Command Injection Flaw Found in HP SiteScope

A vulnerability in HP SiteScope can be exploited by an attacker to execute arbitrary operating system commands, security firm Rapid7 has warned.

HP SiteScope is an agentless software designed for monitoring the performance and availability of distributed IT infrastructures, including servers, network services and devices, applications, and operating systems.

A vulnerability in HP SiteScope can be exploited by an attacker to execute arbitrary operating system commands, security firm Rapid7 has warned.

HP SiteScope is an agentless software designed for monitoring the performance and availability of distributed IT infrastructures, including servers, network services and devices, applications, and operating systems.

An advisory published on Friday by Rapid7 reveals that the SiteScope administration panel could in many cases be accessed simply by going to <server>:8080/SiteScope/servlet/Main. While the control panel can be protected with a password, users are not required to set a password after installing the product, which means default deployments could be exposed to hacker attacks.

Once an attacker gains access to the administration panel, they can execute operating system commands via unsanitized user input fields in the SiteScope DNS Tool. The DNS Tool allows users to specify a DNS server and a host name to resolve, but since the fields are not sanitized, an attacker can append any operating system command to the information that would normally be entered. Rapid7 has demonstrated how an attacker can exploit the vulnerability to create a new user and add it to the local administrators group.

Executing commands in this manner is only possible on HP SiteScope installations running on Windows because on this operating system the product requires local system access in order to work properly.

If the admin panel is protected by a password, only an authenticated attacker could conduct such an attack. However, experts have pointed out that even so this is still an “unexpected level of operating system access.”

The vulnerability, identified by Kirk Hayes of Rapid7 and Charles Riggs of Knowledge Consulting Group on June 1, was initially reported via HP’s Zero Day Initiative (ZDI) program. After the issue was rejected by ZDI, the details of the vulnerability were reported directly to HP on July 1, according to Rapid7’s advisory.

While there doesn’t appear to be a patch for the flaw, SiteScope users can take steps to mitigate the risk. Customers are advised to limit access to SiteScope web services to trusted users with local system access on the machine running the product. Strong passwords should also be set for all SiteScope users.

Advertisement. Scroll to continue reading.

When running on Windows systems, the product requires local system access, which makes the use of account permissions for the app and individual users inefficient. That is why both HP and Rapid7 advise users to host SiteScope on Linux and configure it to run as a non-root user.

“As of today, we have no further security bulletin or advisory for this issue. When working with the researcher, our product documentation seemed to cover the concern as provided, and we explained that to the original person who reported this well,” HP told SecurityWeek. “Also, please note that Rapid 7 is citing the wrong SSRT number (SSRT102139 is the correct one).”

Rapid7 has disclosed the details of the vulnerability because more than 60 days have passed since the issue was reported to the vendor. A Metasploit module has also been published.

*Updated with statement from HP

Related: HP Fixes Vulnerabilities in ArcSight Products

Related: Updates Fix Several Vulnerabilities in HP Network Automation

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.