Attacker Value
Very High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
3

Multiple vulnerabilities in HP Device Manager

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

HP published an advisory for three vulnerabilities in its Device Manager software, which lets IT admins remotely manage HP thin clients. CVEs included in the advisory are CVE-2020-6925 (weak cipher), CVE-2020-6926 (remote method invocation), and CVE-2020-6927 (local privilege escalation). Some of these vulnerabilities can be chained together to allow an unauthenticated, remote attacker to gain local SYSTEM privileges on a vulnerable target.

HP advisory: https://support.hp.com/us-en/document/c06921908

General Information

Additional Info

Technical Analysis

Description

On September 25, 2020, HP published details on three vulnerabilities in its Device Manager software, which lets IT administrators remotely deploy and manage HP thin clients. The three CVEs included in HP’s advisory are CVE-2020-6925, CVE-2020-6926, and CVE-2020-6927. Of these, CVE-2020-6926 is the most severe, with a CVSSv3 base score of 9.9. As of October 2, 2020, CVEs 2020-6925 and 2020-6927 have CVSSv3 base scores of 7.0 and 8.0, respectively.

Both HP and the researcher who discovered the vulnerabilities have reinforced that “some of these vulnerabilities can be chained together” to allow an unauthenticated, remote attacker to gain SYSTEM privileges on a vulnerable target. Part of this disclosure is that a backdoor database user exists in the PostgreSQL database used by HP Device Manager. Organizations are strongly encouraged to immediately set a fresh, strong password for the dm_postgres PostgreSQL user to prevent remote attackers from leveraging the backdoor user.

Further information from HP’s advisory:

  • These vulnerabilities may allow locally managed accounts within HP Device Manager to be susceptible to dictionary attacks due to weak cipher implementation (CVE-2020-6925) and allow a malicious actor to remotely gain unauthorized access to resources (CVE-2020-6926), and/or allow a malicious actor to gain SYSTEM privileges (CVE-2020-6927).
  • CVE-2020-6925 does not impact customers who are using Active Directory authenticated accounts.
  • CVE-2020-6927 does not impact customers who are using an external database (Microsoft SQL Server) and have not installed the integrated Postgres service.

Affected products

HP has said that they are actively working on security updates for Device Manager and that they will update their advisory as those fixes become available.

CVE ID Potential Vulnerability Impacted Version
CVE-2020-6925 Weak Cipher All versions of HP Device Manager
CVE-2020-6926 Remote Method Invocation All versions of HP Device Manager
CVE-2020-6927 Elevation of Privilege HP Device Manager 5.0.0 HP Device Manager 5.0.1 HP Device Manager 5.0.2 HP Device Manager 5.0.3

Rapid7 analysis

HP hasn’t clarified which CVEs are the “some” that can be chained to enable remote code execution, but Rapid7 researchers confirmed early in an ongoing exploitability investigation that there is unauthenticated remote method invocation via TCP ports 1099 and 40002, and that an attacker can use the PostgreSQL privilege escalation to obtain SYSTEM-level access.

Rapid7 researchers identified ports 1099 and 40002 as belonging to a Java RMI service, which essentially allows for the remote execution of Java code. Furthermore, the PostgreSQL privilege escalation was tested and confirmed to be capable of local code execution as the SYSTEM user. However, in forcing the SQL service to be remotely accessible, Rapid7 researchers were able to achieve remote code execution (RCE) through PostgreSQL. Leveraging static analysis of the application, Rapid7 researchers surmised that the RMI service could enable such remote access, providing the most likely path to RCE, as arbitrary Java deserialization proved largely fruitless.

We are not aware of any public proofs-of-concept (PoCs) or exploits as of October 2, 2020. That said, our initial investigation indicates that CVEs 2020-6926 and 2020-6927 are relatively simple to exploit remotely, and the researcher who discovered the vulnerabilities has said he intends to publish his PoC exploit. We consider these CVEs impending threats as a result of their high attacker value and predicted ease of exploitation. We’ll update this analysis with further technical details as we continue to verify vulnerability details and test attack scenarios.

On October 5, 2020, the researcher who discovered these vulnerabilities published a blog post detailing the RCE chain in full. No PoC exploit has been released at this time.

Guidance

Organizations running instances of HP Device Manager are strongly encouraged to apply HP’s suggested mitigations these systems immediately, including:

  • Limit incoming access to Device Manager ports 1099 and 40002 to trusted IPs or localhost only
  • Remove the dm_postgres account from the Postgres database; or
  • Update the dm_postgres account password within HP Device Manager Configuration Manager; or
  • Within the Microsoft Windows Firewall configuration, create an inbound rule to configure the PostgreSQL listening port (40006) for localhost access only.

HP Device Manager 5.0.4 is available via HP’s advisory. Security updates are still pending for Device Manager 4.7—the advisory notes that 4.7 Service Pack 13 is “to be released.” We urge affected HP customers to patch as soon as possible. If you are unable to patch, the backdoor database user should still be mitigated immediately using one of the methods above.

Nicky Bloor, the researcher who discovered the three vulns, has an excellent Twitter thread on the impact of the backdoor database user and steps for setting a strong password for that user.

References