search menu icon-carat-right cmu-wordmark

CERT Coordination Center

HP System Management Homepage vulnerable to a denial-of-service condition

Vulnerability Note VU#895524

Original Release Date: 2013-09-24 | Last Revised: 2013-09-24

Overview

HP System Management Homepage 7.2.0.14 and possibly earlier versions contain a denial-of-service vulnerability (CWE-121).

Description

CWE-121: Stack-based Buffer Overflow

HP System Management Homepage 7.2.0.14 contains a denial-of-service vulnerability. The remote attacker may send the listener service a malformed request using the iprange parameter in /proxy/DataValidation. One of the listener child processes will then crash with that request value, overwriting EIP and corrupting the stack, resulting in a denial-of-service condition.

Impact

A remote attacker may be able to cause a denial-of-service condition against the HP System Management Homepage software.

Solution

HP has made System Management Homepage (SMH) v7.2.1 available for Windows and Linux to resolve the vulnerabilities. In the event that updating is not possible, the following workaround is also available.

Limit Access
Anonymous access is required for this attack to take place. Disabling this feature via the administration page will render the attacker unable to send this request without having proper authentication credentials.

Vendor Information

895524
 
Affected   Unknown   Unaffected

Hewlett-Packard Company

Notified:  June 28, 2013 Updated:  September 20, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 5.6 AV:N/AC:H/Au:S/C:N/I:P/A:C
Temporal 4.4 E:POC/RL:OF/RC:C
Environmental 3.3 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to the reporter that wishes to remain anonymous.

This document was written by Adam Rauf.

Other Information

CVE IDs: CVE-2013-4821
Date Public: 2013-09-18
Date First Published: 2013-09-24
Date Last Updated: 2013-09-24 13:08 UTC
Document Revision: 13

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.