Very High
Multiple vulnerabilities in HP Device Manager
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Very High
(1 user assessed)Moderate
(1 user assessed)Unknown
Unknown
Unknown
Multiple vulnerabilities in HP Device Manager
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
HP published an advisory for three vulnerabilities in its Device Manager software, which lets IT admins remotely manage HP thin clients. CVEs included in the advisory are CVE-2020-6925 (weak cipher), CVE-2020-6926 (remote method invocation), and CVE-2020-6927 (local privilege escalation). Some of these vulnerabilities can be chained together to allow an unauthenticated, remote attacker to gain local SYSTEM privileges on a vulnerable target.
HP advisory: https://support.hp.com/us-en/document/c06921908
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityMedium
Technical Analysis
Please see the Rapid7 analysis.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
References
Additional Info
Technical Analysis
Description
On September 25, 2020, HP published details on three vulnerabilities in its Device Manager software, which lets IT administrators remotely deploy and manage HP thin clients. The three CVEs included in HP’s advisory are CVE-2020-6925, CVE-2020-6926, and CVE-2020-6927. Of these, CVE-2020-6926 is the most severe, with a CVSSv3 base score of 9.9. As of October 2, 2020, CVEs 2020-6925 and 2020-6927 have CVSSv3 base scores of 7.0 and 8.0, respectively.
Both HP and the researcher who discovered the vulnerabilities have reinforced that “some of these vulnerabilities can be chained together” to allow an unauthenticated, remote attacker to gain SYSTEM
privileges on a vulnerable target. Part of this disclosure is that a backdoor database user exists in the PostgreSQL database used by HP Device Manager. Organizations are strongly encouraged to immediately set a fresh, strong password for the dm_postgres
PostgreSQL user to prevent remote attackers from leveraging the backdoor user.
Further information from HP’s advisory:
- These vulnerabilities may allow locally managed accounts within HP Device Manager to be susceptible to dictionary attacks due to weak cipher implementation (CVE-2020-6925) and allow a malicious actor to remotely gain unauthorized access to resources (CVE-2020-6926), and/or allow a malicious actor to gain
SYSTEM
privileges (CVE-2020-6927).
- CVE-2020-6925 does not impact customers who are using Active Directory authenticated accounts.
- CVE-2020-6927 does not impact customers who are using an external database (Microsoft SQL Server) and have not installed the integrated Postgres service.
Affected products
HP has said that they are actively working on security updates for Device Manager and that they will update their advisory as those fixes become available.
CVE ID | Potential Vulnerability | Impacted Version |
---|---|---|
CVE-2020-6925 | Weak Cipher | All versions of HP Device Manager |
CVE-2020-6926 | Remote Method Invocation | All versions of HP Device Manager |
CVE-2020-6927 | Elevation of Privilege | HP Device Manager 5.0.0 HP Device Manager 5.0.1 HP Device Manager 5.0.2 HP Device Manager 5.0.3 |
Rapid7 analysis
HP hasn’t clarified which CVEs are the “some” that can be chained to enable remote code execution, but Rapid7 researchers confirmed early in an ongoing exploitability investigation that there is unauthenticated remote method invocation via TCP ports 1099 and 40002, and that an attacker can use the PostgreSQL privilege escalation to obtain SYSTEM
-level access.
Rapid7 researchers identified ports 1099 and 40002 as belonging to a Java RMI service, which essentially allows for the remote execution of Java code. Furthermore, the PostgreSQL privilege escalation was tested and confirmed to be capable of local code execution as the SYSTEM
user. However, in forcing the SQL service to be remotely accessible, Rapid7 researchers were able to achieve remote code execution (RCE) through PostgreSQL. Leveraging static analysis of the application, Rapid7 researchers surmised that the RMI service could enable such remote access, providing the most likely path to RCE, as arbitrary Java deserialization proved largely fruitless.
We are not aware of any public proofs-of-concept (PoCs) or exploits as of October 2, 2020. That said, our initial investigation indicates that CVEs 2020-6926 and 2020-6927 are relatively simple to exploit remotely, and the researcher who discovered the vulnerabilities has said he intends to publish his PoC exploit. We consider these CVEs impending threats as a result of their high attacker value and predicted ease of exploitation. We’ll update this analysis with further technical details as we continue to verify vulnerability details and test attack scenarios.
On October 5, 2020, the researcher who discovered these vulnerabilities published a blog post detailing the RCE chain in full. No PoC exploit has been released at this time.
Guidance
Organizations running instances of HP Device Manager are strongly encouraged to apply HP’s suggested mitigations these systems immediately, including:
- Limit incoming access to Device Manager ports 1099 and 40002 to trusted IPs or localhost only
- Remove the
dm_postgres
account from the Postgres database; or
- Update the
dm_postgres
account password within HP Device Manager Configuration Manager; or
- Within the Microsoft Windows Firewall configuration, create an inbound rule to configure the PostgreSQL listening port (40006) for localhost access only.
HP Device Manager 5.0.4 is available via HP’s advisory. Security updates are still pending for Device Manager 4.7—the advisory notes that 4.7 Service Pack 13 is “to be released.” We urge affected HP customers to patch as soon as possible. If you are unable to patch, the backdoor database user should still be mitigated immediately using one of the methods above.
Nicky Bloor, the researcher who discovered the three vulns, has an excellent Twitter thread on the impact of the backdoor database user and steps for setting a strong password for that user.
References
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Months later (feels like years some days, huh?) I still really appreciate this analysis! Thanks for writing it :)