Three vulnerabilities affecting HP Device Manager, an application for remote management of HP Thin Client devices, could be chained together to achieve unauthenticated remote command execution as SYSTEM, security researcher Nick Bloor has found.
The vulnerabilities have been patched by HP nearly two weeks ago, but additional vulnerability and research details published on Monday may help attackers to craft a working exploit.
Thin clients are low-performance computers optimized for establishing a remote connection with a server-based computing environment.
HP Device Manager allows IT admins to remotely deploy, update, and manage thousands of HP Thin Clients through a single console.
The three vulnerabilities discovered by Bloor “may allow locally managed accounts within HP Device Manager to be susceptible to dictionary attacks due to weak cipher implementation (CVE-2020-6925) and allow a malicious actor to remotely gain unauthorized access to resources (CVE-2020-6926), and/or allow a malicious actor to gain SYSTEM privileges (CVE-2020-6927).”
CVE-2020-6925 and CVE-2020-6926 affect all versions of HP Device Manager, CVE-2020-6927 (a privilege escalation vulnerability) affects HP Device Manager 5.0.0 to 5.0.3.
CVE-2020-6925 doesn’t impact customers who are using Active Directory authenticated accounts, HP pointed out, and CVE-2020-6927 doesn’t impact customers who are using an external database and have not installed the integrated Postgres service.
Fixes and mitigations
HP has provided a security update for the HP Device Manager 5.0.x branch – HPDM v5.0.4 – and will include the fixes for the 4.x branch in HP Device Manager 4.7 Service Pack 13.
Mitigations that partially mitigate these issues are also available, and include:
- Limiting incoming access to Device Manager ports 1099 and 40002 to trusted IPs or localhost only
- Removing the dm_postgres account from the Postgres database; or updating the dm_postgres account password within HP Device Manager Configuration Manager; or
creating an inbound rule within Windows Firewall configuration to configure the PostgreSQL listening port (40006) for localhost access only.
Admins are advised to implement the offered security updates or mitigations as soon as possible.