Several potentially serious vulnerabilities have been found in HPE SiteScope, and while patches are not available, users can apply workarounds to prevent attacks.
HPE SiteScope is an agentless performance and availability monitoring software for distributed IT infrastructures, including servers, network services, applications, and operating systems.
While conducting a security assessment, expert Richard Kelley identified several vulnerabilities in version 11.31.461 of the product.
Kelley noticed that a critical remote code execution vulnerability disclosed in 2012 and for which a Metasploit module is available still hasn’t been patched by HPE. The vendor noted that users can prevent attacks by setting a specific flag in the “groups/master.config” file to disable old APIs.
A Shodan search conducted by Kelley showed that there are at least 230 SiteScope servers accessible on the Internet.
“I wonder how many admins know about this setting, and why wouldn’t HPE just remove the old APIs from new versions if they are no longer needed?” the researcher said in a blog post.
The expert also discovered that credentials stored in configuration files are encrypted, but the encryption key is hardcoded, allowing an attacker to obtain the password needed to log in to the SiteScope interface with administrator privileges.
Once the attacker has access to the administration interface, they can obtain credentials for Linux and Windows servers monitored via SiteScope. While the admin interface only displays passwords as dots, the actual password is transmitted in clear text over an unsecure connection to the client, allowing a man-in-the-middle (MitM) attacker to easily obtain the information.
Kelley also discovered the existence of a proprietary encryption scheme that uses a hardcoded private key. He determined that this function had still been used to encrypt some configuration data.
HPE said it plans on addressing the insecure transmission of credentials sometime in the third quarter. As for the encryption-related issues, the company pointed out that the problems are covered in chapter 20 of the SiteScope deployment guide.
While HPE has asked the researcher to delay disclosure until the third quarter, Kelley and CERT/CC have decided to make the flaws public to “encourage HPE to provide defender mitigations as soon as possible.”
CERT/CC has published an advisory containing mitigation advice for the unpatched vulnerability.
It’s not uncommon for HPE to provide workarounds for SiteScope vulnerabilities instead of releasing patches. In October 2015, Rapid7 disclosed the details of a command injection flaw that had also been addressed in the product documentation.
Related: HP Patches Critical Vulnerabilities in Data Protector
Related: HP Removes Keylogger Functionality From Audio Drivers