Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2020-6925, CVE-2020-6926, CVE-2020-6927: Multiple Vulnerabilities in HP Device Manager

Vulnerabilities in HP Device Manager could be chained to achieve unauthenticated remote command execution.

Background

On September 25, HP published a security bulletin to address multiple vulnerabilities in HP Device Manager, software that’s used to remotely manage HP Thin Clients. The vulnerabilities were disclosed to HP by security researcher Nick Bloor. As part of a Twitter thread, Bloor warned that a combination of these vulnerabilities would result in “unauthenticated remote command execution as SYSTEM.” On October 5, Bloor published a blog post detailing his findings.

There were three vulnerabilities in HP’s security bulletin and the table below lists the assigned CVE identifiers and CVSSv3 scores:

CVE Identifier CVSSv3
CVE-2020-6925 7.0
CVE-2020-6926 9.9
CVE-2020-6927 8.0

Analysis

CVE-2020-6925 is a weak cipher implementation vulnerability, which means dictionary attacks may be possible against locally managed accounts in the HP Device Manager. HP notes that this vulnerability is mitigated by the use of Active Directory authenticated accounts.

According to Bloor’s research, the HP Device Manager server’s Remote Method Invocation (RMI) service method, ServGetUsers(), will return a list of accounts and their associated hashed passwords (using MD5 hashing algorithm). Bloor states that these password hashes were “salted using a static hard-coded salt.”

Example of the weak cipher implementation using MD5 encryption and static salt Image Source: Nick Bloor’s blog post

MD5 hashes have been deemed unsuitable for years. Since 2009, the CERT Coordination Center has advised against the use of MD5, saying it “should be considered cryptographically broken and unsuitable for further use.”

CVE-2020-6926 is an RMI vulnerability that would allow a remote, unauthenticated attacker to gain access to resources in the HP Device Manager. This vulnerability received a CVSSv3 score of 9.9, the highest of the three vulnerabilities disclosed.

Bloor found that he could inject database queries into the RMI service. Specifically, he identified that the HP Device Manager uses Hibernate, one of several object-relational mapping frameworks. Hibernate offers its own query language, known as HQL. Bloor managed to smuggle Postgres injection payloads through HQL in order to overwrite the Postgres host-based authentication configuration file (pg_hba.conf) to enable remote authentication. By default, remote authentication is disabled.

CVE-2020-6927 is an elevation of privilege vulnerability in HP Device Manager. According to HP, this vulnerability is mitigated when the integrated Postgres service has not been installed and with the use of an external database, such as Microsoft SQL Server.

During his research, Bloor discovered in the HP Device Manager database (hpdmdb) the presence of a backdoor user account, dm_postgres, which has superuser privileges.

He was able to crack the password for the dm_postgres user account, which turned out to be a single space (“ “) character.

Chaining vulnerabilities to achieve remote command execution as SYSTEM

For full exploitation, an attacker would need to chain both CVE-2020-6926 and CVE-2020-6927 together.

Utilizing CVE-2020-6926, an attacker can enable remote authentication on the vulnerable HP Device Manager. With CVE-2020-6927, knowing that the dm_postgres user exists within the default installation of Postgres on HP Device Manager, an attacker could authenticate to the database using this account to elevate privileges and execute commands as SYSTEM. Bloor was able to showcase this in the example below by creating a table in the Postgres database to store command outputs that would be executed using a specially crafted query in the context of the Postgres database (SYSTEM). The output from the query results would be written back to the table which could then be retrieved with an additional query.

Example of chaining together two vulnerabilities to gain command execution as SYSTEM Image Source: Nick Bloor’s blog post

Proof of concept

At the time this blog post was published, no proof-of-concept (PoC) was available for any of these vulnerabilities. However, Bloor published a blog post containing details about his findings along with a list of steps required in order to exploit the flaw.

Solution

According to HP, two of the three vulnerabilities (CVE-2020-6925, CVE-2020-6926) affect all versions of HP Device Manager.

HP released a fix for the HP Device Manager 5.0.x branch release.

Affected Versions Fixed Versions
HP Device Manager 4.7 Service Pack 12 and below To be released in HP Device Manager 4.7 Service Pack 13
HP Device Manager 5.0.0 through 5.0.3 HP Device Manager 5.0.4

While a fix has not been made available for the HP Device Manager 4.7.x release branch, HP anticipates that the fix will arrive in HP Device Manager 4.7 Service Pack 13. We will update this blog once this version becomes available.

If upgrading is not yet feasible at this time, HP suggests applying the following partial mitigations:

  1. Restrict access to port 1099, 40002 to trusted hosts or localhost
  2. Change the password for the “dm_postgres” account through the Configuration Manager
  3. Limit access to port 40006 (Postgres) to localhost only through the Windows Firewall
  4. Alternatively, remove the “dm_postgres” account from the database altogether

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

The Security Response Team would like to thank Nick Bloor for sharing details with us regarding his findings so that we could develop additional plugins to better protect our customers.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training