HP SiteScope 11.32 Remote Code Execution

In default installations of HP SiteScope version 11.32, access to Java Management Extensions (JMX) is allowed to unauthenticated users over port 28006. This configuration allows for remote code execution exploits.


MD5 | 28775130e13b3afa7ae1a5b6908c694f

----- Issue Summary -----

In default installations of HP SiteScope 11.32, access to Java Management
Extensions (JMX) is allowed to unauthenticated users over port 28006. This
configuration allows for remote code execution exploits.


----- Additional Details -----

HP SiteScope's help pages discuss enabling authentication for JMX as an
optional step during setup, but only vaguely touch on the potential
consequences of choosing not to do this step.

The product is not secure-by-default, but rather requires that
administrators be knowledgeable enough to understand the ramifications of
allowing unauthenticated access to JMX, and for administrators to take the
steps provided by HP to change that insecure configuration.

At the same time, an attacker reading SiteScope's manual will realize that
SiteScope can be a potent target, with credentials and other details on
critical hosts in the enterprise.


----- Basic Exploitation -----

The Metasploit module exploit/multi/misc/java_jmx_server can be used to
gain remote code execution.


----- Other Attacks -----

As the code execution is occuring within the SiteScope process, we can
abuse this position to query SiteScope's configuration and steal
credentials SiteScope would use to authenticate to other hosts.

An example of such an attack can be found at:
https://github.com/hantwister/SCAT


----- Mitigation Suggestions For Users -----

Follow the instructions in SiteScope help pages to configure authentication
for JMX.


----- Mitigation Suggestions For HP -----

Configure a Java security policy that disallows unexpected MBeans from
being instantiated. Require authentication for JMX by default, with a
password randomly generated during installation, or disallow any remote JMX
access until a password is configured.



Related Posts

Comments