Serious vulnerabilities in HPE SiteScope found

19.06.2017

hpe-sitescope-vulnerabilities

 

Several potentially serious vulnerabilities in HPE SiteScope were identified. There are no patches yet, so to prevent hacker attacks, users need to apply workarounds.

HPE SiteScope is a performance and availability monitoring software for distributed IT infrastructures, including servers, network services, applications, and operating systems.

The cybersecurity specialist Richard Kelley has discovered several vulnerabilities in product version 11.31.461.

Kelley has noticed that the company has not yet released patches for a critical remote code execution vulnerability disclosed in 2012 and for which a Metasploit is available.

HPE recommends that users prevent attacks by setting a specific flag in the “groups/master.config” file to disable old APIs.

“I wonder how many admins know about this setting, and why wouldn’t HPE just remove the old APIs from new versions if they are no longer needed?” Kelley said.

The expert has also discovered that the credentials stored in the configuration files are encrypted, but the encryption key is hardcoded and allows the hacker to get the password needed to log into the SiteScope interface with administrator privileges.

Once the hacker has access to the administration interface, he can get the credentials for the Linux and Windows servers that are monitored via SiteScope. The admin interface shows the passwords only as dots, but the actual password is transmitted in clear text over an insecure connection to the client, allowing man-in-the-middle attack to be used to steal the information easily.

HPE said it plans to solve the problem of insecure transmission of credentials in the third quarter of the year. The company also pointed out that the encryption-related problems are covered in chapter 20 of the SiteScope deployment guide.

It is not unusual for HPE to provide workarounds for SiteScope's vulnerabilities instead of patches, but this seriously threatens the cybersecurity of its users.

Would you like to comment on this article?

Share

Latest news

22.06.2017

Necurs botnet distributes Locky ransomware via fake invoices

The campaign uses the same ID as before, but the ransomware has undergone a number of changes.

22.06.2017

NY Supreme Court judge scammed out of $ 1 million by hackers

New York Supreme Court judge Lori Sattler has lost over one million dollars.

22.06.2017

WikiLeaks unveiled the CIA's Brutal Kangaroo malware

CIA-developed malware is designed for hacking air-gapped networks.

Sign up for our online newsletter!