HP Device Manager Cavalcade of Critical CVEs (CVE-2020-6925:6927): What You Need to Know

Last updated at Fri, 02 Oct 2020 21:44:44 GMT

HP released a security bulletin on Sept. 25, 2020, disclosing a set of vulnerabilities in HP Device Manager that—when some are chained together—can result in a remote attacker gaining SYSTEM privileges on the target node.

Note: A backdoor database user exists in the PostgreSQL database used by HP Device Manager. Organizations are strongly encouraged to set a different, strong password for the hpdmdb PostgreSQL user.

AttackerKB Entries:

• Consolidated meta-topic (Follow this one to get information on all three.)
  • CVE-2020-6295
  • CVE-2020-6296
  • CVE-2020-6297
• HP Knowledge Base Bulletin
• Reported by Nicky Bloor (@nickstadb)

CVE-2020-6925 identifies a weak cipher in HP Device Manager that does not impact customers who are using Active Directory authenticated accounts.

CVE-2020-6926 is a remote method invocation vulnerability in all versions of HP Device Manager that enables remote, unauthenticated attackers to gain access to resources. It is the most severe of the three vulnerabilities.

CVE-2020-6927 is an elevation of privilege weakness that impacts HP Device Manager 5.0.0 through 5.0.3. When used in a chain, this enables remote attackers to gain SYSTEM privileges.

Remediation guidance for the HP Device Manager vulns

Organizations running instances of HP Device Manager are strongly encouraged to apply HP’s suggested mitigations to these systems immediately:

• Limit incoming access to Device Manager ports 1099 and 40002 to trusted IPs or localhost only
• Remove the dm_postgres account from the Postgres database; or
• Update the dm_postgres account password within HP Device Manager Configuration Manager; or
• Within the Microsoft Windows Firewall configuration create an inbound rule to configure the PostgreSQL listening port (40006) for localhost access only.

HP hasn’t clarified which CVEs are the “some” that can be chained to enable remote code execution, but Rapid7 researchers confirmed early in an ongoing exploitability investigation that there is unauthenticated remote code execution (RCE) via TCP ports 1099 and 40002, and that an attacker can use the PostgreSQL privilege escalation to obtain SYSTEM-level access.

We are not aware of any public proofs-of-concept (PoCs) or exploits as of Oct. 2, 2020. That said, our initial investigation indicates that CVEs 2020-6926 and 2020-6927 are relatively simple to exploit remotely. We would put these CVEs in the impending threat category as a result of the vulnerabilitys' severity and predicted ease of exploitation. We’ll update this analysis with further technical details as we continue to verify vulnerability details and test attack scenarios.