Date: 16 January 2012
References: ESB-2012.0059
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0063
HP StorageWorks Modular Smart Array P2000 G3, Remote
Execution of Arbitrary Code
16 January 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: HP StorageWorks Modular Smart Array
Publisher: Hewlett-Packard
Operating System: Network Appliance
Impact/Access: Administrator Compromise -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2011-4788
Reference: ESB-2012.0059
Original Bulletin:
http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03153338&ac.admitted=1326674294703.876444892.492883150
Comment: Although HP has classified this bug as allowing 'remote code
execution' it actually allows a remote attacker to log into
the system as administrator, which would allow execution of
arbitrary code.
From a previous bulletin by ZDI:
"The specific flaws exists within the web interface listening
on TCP port 80. There exists a directory traversal flaw that
can allow a remote attacker to view any file on the system by
simply specifying it in the default URI. Additionally, the
pasword file contains a default login that can be used to
authenticate to the device. This can be leveraged by a remote
attacker to perform any tasks an administrator is able to."
- --------------------------BEGIN INCLUDED TEXT--------------------
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03153338
Version: 1
HPSBST02735 SSRT100516 rev.1 - HP StorageWorks Modular Smart Array P2000 G3,
Remote Execution of Arbitrary Code
NOTICE: The information in this Security
Bulletin should be acted upon as soon as possible.
Release Date: 2012-01-13 Last Updated: 2012-01-13
Potential Security Impact: Remote execution of arbitrary code
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP StorageWorks
Modular Smart Array P2000 G3. This vulnerability could be exploited to allow
remote execution of arbitrary code.
References: CVE-2011-4788, ZDI-12-015 SUPPORTED SOFTWARE VERSIONS*: ONLY
impacted versions are listed.
HP StorageWorks Modular Smart Array P2000 G3 - all release firmware revisions
before TS230P008.
Hardware or Software Platforms Affected
BV913A HP P2000 G3 FC MSA DC w/12 300GB 6G SAS 10K SFF HDD 3.6TB Bundle
BV914A HP P2000 G3 FC MSA DC w/12 600GB 6G SAS 10K SFF HDD 7.2TB Bundle
BV901A HP P2000 G3 FC MSA DC w/24 146GB 6G SAS 15K SFF HDD 3.5TB Bundle
BV902A HP P2000 G3 FC MSA DC w/24 300GB 6G SAS 10K SFF HDD 7.2TB Bundle
BV903A HP P2000 G3 FC MSA DC w/24 600GB 6G SAS 10K SFF HDD 14.4TB Bundle
BV915A HP P2000 G3 FC/iSCSI MSA DC w/12 300GB 6G SAS 10K SFF HDD 3.6TB
BV916A HP P2000 G3 FC/iSCSI MSA DC w/12 600GB 6G SAS 10K SFF HDD 7.2TB Bundle
BV904A HP P2000 G3 FC/iSCSI MSA DC w/24 146GB 6G SAS 15K SFF HDD 3.5TB Bundle
BV905A HP P2000 G3 FC/iSCSI MSA DC w/24 300GB 6G SAS 10K SFF HDD 7.2TB Bundle
BV906A HP P2000 G3 FC/iSCSI MSA DC w/24 600GB 6G SAS 10K SFF HDD 14.4TB Bundle
BV917A HP P2000 G3 SAS MSA DC w/12 300GB 6G SAS 10K SFF HDD 3.6TB Bundle
BV918A HP P2000 G3 SAS MSA DC w/12 600GB 6G SAS 10K SFF HDD 7.2TB Bundle
BV907A HP P2000 G3 SAS MSA DC w/24 146GB 6G SAS 15K SFF HDD 3.5TB Bundle
BV908A HP P2000 G3 SAS MSA DC w/24 300GB 6G SAS 10K SFF HDD 7.2TB Bundle
BV909A HP P2000 G3 SAS MSA DC w/24 600GB 6G SAS 10K SFF HDD 14.4TB Bundle
BV919A HP P2000 G3 iSCSI MSA DC w/12 300GB 6G SAS 10K SFF HDD 3.6TB Bundle
BV920A HP P2000 G3 iSCSI MSA DC w/12 600GB 6G SAS 10K SFF HDD 7.2TB Bundle
BV910A HP P2000 G3 iSCSI MSA DC w/24 146GB 6G SAS 15K SFF HDD 3.5TB Bundle
BV911A HP P2000 G3 iSCSI MSA DC w/24 300GB 6G SAS 10K SFF HDD 7.2TB Bundle
BV912A HP P2000 G3 iSCSI MSA DC w/24 600GB 6G SAS 10K SFF HDD 14.4TB Bundle
AW596A HP StorageWorks P2000 G3 10GbE iSCSI MSA Dual Controller LFF Array System
AW597A HP StorageWorks P2000 G3 10GbE iSCSI MSA Dual Controller SFF Array System
AP847A HP StorageWorks P2000 G3 FC MSA Dual Controller Small Business SAN Starter Kit
AP848A HP StorageWorks P2000 G3 FC MSA Dual Controller Virtualization SAN Starter Kit
BK816A HP StorageWorks P2000 G3 FC/iSCSI w/24 300GB 6G SAS 10K SFF DP 7.2K 7.2TB Bundle
BK746SB HP StorageWorks P2000 G3 MSA FC Dual Controller LFF Array Starter Kit/S-Buy
AP845A HP StorageWorks P2000 G3 MSA FC Dual Controller LFF Modular Smart Array System
BK747SB HP StorageWorks P2000 G3 MSA FC Dual Controller SFF Array Starter Kit/S-Buy
AP846A HP StorageWorks P2000 G3 MSA FC Dual Controller SFF Modular Smart Array System
AW567A HP StorageWorks P2000 G3 MSA FC/iSCSI Dual Combo Controller LFF Array
AW568A HP StorageWorks P2000 G3 MSA FC/iSCSI Dual Combo Controller SFF Array
BK748SB HP StorageWorks P2000 G3 MSA FC/iSCSI Dual Combo LFF Array Starter Kit/S-Buy
BK749SB HP StorageWorks P2000 G3 MSA FC/iSCSI Dual Combo SFF Array Starter Kit/S-Buy
AW593A HP StorageWorks P2000 G3 SAS MSA Dual Controller LFF Array System
AW594A HP StorageWorks P2000 G3 SAS MSA Dual Controller SFF Array System
BV842A HP StorageWorks P2000 G3 SAS w/24 300GB 6G SAS 10K SFF DP 10K 7.2TB Bundle
BK830A HP StorageWorks P2000 G3 iSCSI MSA Dual Controller LFF Array System
BK831A HP StorageWorks P2000 G3 iSCSI MSA Dual Controller SFF Array System
Base Vector
Base Score CVE-2011-4788
(AV:N/AC:L/Au:N/C:C/I:P/A:P)9.0
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002
RESOLUTION
The vulnerability can be resolved by the following procedure:
Disable the array's HTTP and HTTPS network management services (Note: This
will also disable all management access from a Web browser. Array management
access may be maintained via Command Line Interface [CLI].) Use the
instructions outlined in the Workaround section below to disable the HTTP and
HTTPS network management services.
Install TS230P008 firmware as soon as possible. If the HTTP and HTTPS
network management services have been previously disabled, the services may be
re-enabled as the issue is fully resolved in TS230P008 firmware.
TS230P008 firmware installation and workaround instructions:
Go to http://www.hp.com/support/storage
Under Disk Storage Systems, click P2000/MSA Disk Arrays .
Click HP P2000 G3 MSA Array Systems , then click Download drivers and
software .
Select your product and operating system. Click Firmware - Storage
Controller . In the Description column of the table, click the title of the
firmware:
To download the firmware, click Download .
To read the release notes, click the Release Notes tab.
Note: If you have trouble finding your product, drivers, or software, use
the Product Search function from http://www.hp.com/support/downloads and enter
your product number.
Before running the TS230P008 Smart Component, verify that both the telnet
and FTP options are enabled on the array to allow the Smart Component to run
successfully.
Workaround
Disable the HTTP/HTTPS service protocols:
Note:
Disabling the HTTP/HTTPS services will disable the Storage Management Utility
(SMU), including Web access to manage the system. All management must be
performed by CLI telnet. If the system can not be accessed through CLI telnet,
upgrade the system to TS230P008 to resolve this issue.
Any scripts requiring HTTP or HTTPS access will no longer function with HTTP
or HTTPS disabled.
To disable the HTTP/HTTPS service protocols, enter the following command at
the CLI prompt:
# set protocols http disabled https disabled Success: Command completed
successfully.
The HTTP and HTTPS services must be re-enabled to resume SMU access.
To re-enable the HTTP or HTTPS protocols, enter the following command at the
CLI prompt:
# set protocols http enabled https enabled Success: Command completed
successfully.
HISTORY Version:1 (rev.1) - 13 January 2012 Initial Release
Software Product Category: The Software Product Category is represented in the
title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
System management and security procedures must be reviewed frequently to
maintain system integrity. HP is continually reviewing and enhancing the
security features of software products to provide customers with current
secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the
attention of users of the affected HP products the important security
information contained in this Bulletin. HP recommends that all users determine
the applicability of this information to their individual situations and take
appropriate action. HP does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently, HP will not be
responsible for any damages resulting from user's use or disregard of the
information provided in this Bulletin. To the extent permitted by law, HP
disclaims all warranties, either express or implied, including the warranties
of merchantability and fitness for a particular purpose, title and
non-infringement." Copyright 2012 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits;damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTxOD4e4yVqjM2NGpAQJkwA/+N3WDCq07cxX3jbaQeBWngtVHeY2k/vh+
ri3Zama47EFbFXShzBp8EXdmvM3RVwdmcxIVdqfktAvl0DWO6X0t0yk8yPKadmZ9
2rXxjXTXuH7djn0dbIiVdI17WsauoYcRkbPqB3DQX9So/PWeAskFHYUgCZ8txdiF
62Y5Qe7TXFm7jxiPAsuK4gPx4dIIqiT47N1YFn/PpFjla3IZ4xIVYSL64vi21p7B
tgGJ0PqhMQDXoOBM27CUFFp5OvKJb2l+Da5bOub+lSfdROzeI2qEzOL7LHUfZaxY
hEAVhhzmWkYUzGBWmgyuz5Sdq+dyKs7LDIaNmOZEzXWqUqLgZ/qt2Bwx0coVDU/C
R11HHSkVfxNIdDGlQo8RPfobYW3+Yhj3Ppupw61KO3LZtWSravOHAmBSSOWUjE3c
VsG7BDA5t4C/sAg3LcYsPxM0qN5ZAyQYBubV4/WtKnKTjJBAq8dZcfawH57y2xaz
ZrKYD2/68pRiWEFq76+FqxjPPT+PCbolY3hRMzg6l1GYwWBKwptKj7OyY5hkWdaE
Fbitke4+/fuzsCM1p9YHSagE31BKq89uemP4Pa5rUG7qEoxUELxFMLZ2HU91nnmR
Y1Kz4RiYx5XYK7+dh3PO4QAZBE1Rq3Imv4SAvDxGHZ6yjYCqgkA2A79JZgQvxxIh
NeUWUumRBn4=
=kPjT
-----END PGP SIGNATURE-----
|