HP released a security advisory detailing three critical and high severity vulnerabilities in the HP Device Manager that could lead to system takeover.
HP Device Manager is used by admins to remotely manage HP thin clients, devices that use resources from a central server for various tasks.
When chained together, the security flaws discovered by security researcher Nick Bloor could allow attackers to remotely gain SYSTEM privileges on targeted devices running vulnerable versions of HP Device Manager which would allow for full system takeover.
The potential security impact for vulnerable devices also includes “dictionary attacks, unauthorized remote access to resources, and elevation of privilege” according to HP.
Chainable security flaws
The three HP Device Manager security vulnerabilities are tracked as CVE-2020-6925, CVE-2020-6926, and CVE-2020-6927.
CVE-2020-6925 affects all versions of HP Device Manager and it exposes locally HP Device Manager managed accounts to dictionary attacks because of weak cipher implementation (does not impact customers who use Active Directory authenticated accounts.)
CVE-2020-6926 is a remote method invocation flaw in all versions of HP Device Manager which enables remote attackers to gain unauthorized access to resources.
CVE-2020-6927 is the weakness that may allow attackers to gain SYSTEM privileges via a backdoor database user in the PostgreSQL database (the password used is just a space.)
This last bug does not affect HP “customers who are using an external database (Microsoft SQL Server) and have not installed the integrated Postgres service,” HP explains.
“Essentially remote access was enabled through unauthenticated access to the Java RMI service and an SQL injection vulnerability which allowed Postgres to be reconfigured and direct connections to be established with this backdoor user account,” Bloor told BleepingComputer.
“Combined with some other vulnerabilities this leads to unauthenticated remote command execution as SYSTEM,” Bloor explains.
The list of HP Device Manager vulnerabilities, their severity ratings, and CVEs can be found in the table embedded below.
|CVE ID||Potential Vulnerability||Impacted Version||CVSS 3.0 Base Score|
|CVE-2020-6925||Weak Cipher||All versions of HP Device Manager||7.0|
|CVE-2020-6926||Remote Method Invocation||All versions of HP Device Manager||9.9|
|CVE-2020-6927||Elevation of Privilege||HP Device Manager 5.0.0 to 5.0.3||8.0|
Mitigation measures available
Customers can download HP Device Manager 5.0.4 to secure their systems against potential attacks that could exploit the CVE-2020-6927 elevation of privilege weakness.
HP hasn’t yet published security updates to address the CVE-2020-6925 and CVE-2020-6926 security issues affecting the HP thin client management software.
However, the company provides customers with remediation steps that should at least partially mitigate the security risks.
The full list of mitigation measures IT admins can take to mitigate the vulnerabilities includes:
- Limit incoming access to Device Manager ports 1099 and 40002 to trusted IPs or localhost only
- Remove the dm_postgres account from the Postgres database; or
- Update the dm_postgres account password within HP Device Manager Configuration Manager; or
- Within Windows Firewall configuration create an inbound rule to configure the PostgreSQL listening port (40006) for localhost access only.