Hewlett Packard Enterprise (HPE) has informed customers of security bypass, information disclosure, remote code execution, cross-site scripting (XSS) and URL redirection vulnerabilities in several of its products. Advisories for each of the affected products were published this week on the Full Disclosure mailing list.
According to the company, the Samba component of HPE NonStop Server is affected by access restriction bypass (CVE-2017-2619) and remote code execution flaws (CVE-2017-7494). The latter is also known as EternalRed and SambaCry, and it has already been exploited in the wild to deliver malware. The vulnerability affects the products of several major software vendors.
HPE has not released patches for the Samba bugs, but it has provided some workarounds that can be used to prevent potential attacks. The security holes affect Samba on NonStop T1201L01 through T1201L01^AAL, and T1201H01 through T1201H01^AAM. Fixes will be included in the upcoming T1201L01^AAO and T1201H01^AAN versions.
The company also informed customers that it has rolled out patches for security bypass, XSS and URL redirection vulnerabilities affecting the HPE Network Node Manager i (NNMi) software.
The flaws, collectively tracked as CVE-2017-8948 with a severity rating of “critical,” can be exploited remotely. The security holes affect versions 10.0x, 10.1x and 10.2x, and patches have been made available for each of them.
The HPE SiteScope application monitoring software is affected by four vulnerabilities, including remote code execution and security restrictions bypass flaws rated “high severity.” The other two weaknesses affecting SiteScope are encryption-related issues that can lead to the disclosure of sensitive information.
The security holes affect versions 11.2x and 11.3x, and they have been addressed with the release of security updates and mitigations.
The SiteScope vulnerabilities were disclosed last month by CERT/CC and researcher Richard Kelley after the discovery of hundreds of potentially vulnerable installations on the Internet. At the time, HPE promised to release patches for the more serious flaws in the third quarter and pointed out that the encryption bugs are covered in the product’s deployment guide.
An updated advisory – initially released in mid-May – has also been published by HPE on the Full Disclosure mailing list this week. The advisory informs users of five critical and high severity remote code execution vulnerabilities affecting the HPE Intelligent Management Center (iMC) network management platform.
Related Reading: Vulnerabilities Patched in Aruba Access Policy Platform
Related Reading: Aruba Patches Vulnerabilities in AirWave Product