Hewlett Packard Enterprise recently revealed a security flaw in its Systems Insight Manager software. This zero-day bug resides in the recent versions of the server software and is reportedly unpatched. Servers running the affected software are liable to Remote Code Execution.
HPE SIM is a software that facilitates automated hardware management covering an expansive range of HPE servers, networking, and storage products. These servers include the HPE ProLiant Gen9 and Gen10 Servers.
This zero-day bug, tracked as CVE-2020-7200, has been evaluated to be of critical severity with a score of 9.8. According to the security bulletin published by HPE, the vulnerability arises due to improper input validation in the “Federated Search” and “Federated CMS Configuration” features. Thus, an attacker can target the logic of the Action Message Format (AMF) deserializer while processing untrusted data to subsequently pull off code execution. The exploitation of this flaw involves attacks with low complexity and does not need user interaction.
HPE Systems Insight Manager (SIM) 7.6.x on Windows and Linux operating systems.
An unauthenticated, remote attacker could effect a code execution on the servers hosting the vulnerable software.
At the time of writing, no fix is available. Besides, HPE has stated that the vulnerability will be patched in a future release. However, HPE recommends Windows users to follow certain mitigation steps. These steps serve as a temporary measure against attacks and are as follows:
- Stop HPE SIM Service
- Delete <C:Program FilesHPSystems Insight Managerjbossserverhpsimdeploysimsearch.war> file from sim installed path del /Q /F C:Program FilesHPSystems Insight Managerjbossserverhpsimdeploysimsearch.war
- Restart HPE SIM Service
- Wait for HPE SIM web page “https://SIM_IP:50000” to be accessible and execute the following command from the command prompt. mxtool -r -f toolsmulti-cms-search.xml 1>nul 2>nul