Several potentially serious vulnerabilities in HPE SiteScope were identified. There are no patches yet, so to prevent hacker attacks, users need to apply workarounds.
HPE SiteScope is a performance and availability monitoring software for distributed IT infrastructures, including servers, network services, applications, and operating systems.
The cybersecurity specialist Richard Kelley has discovered several vulnerabilities in product version 11.31.461.
Kelley has noticed that the company has not yet released patches for a critical remote code execution vulnerability disclosed in 2012 and for which a Metasploit is available.
HPE recommends that users prevent attacks by setting a specific flag in the “groups/master.config” file to disable old APIs.
“I wonder how many admins know about this setting, and why wouldn’t HPE just remove the old APIs from new versions if they are no longer needed?” Kelley said.
The expert has also discovered that the credentials stored in the configuration files are encrypted, but the encryption key is hardcoded and allows the hacker to get the password needed to log into the SiteScope interface with administrator privileges.
Once the hacker has access to the administration interface, he can get the credentials for the Linux and Windows servers that are monitored via SiteScope. The admin interface shows the passwords only as dots, but the actual password is transmitted in clear text over an insecure connection to the client, allowing man-in-the-middle attack to be used to steal the information easily.
HPE said it plans to solve the problem of insecure transmission of credentials in the third quarter of the year. The company also pointed out that the encryption-related problems are covered in chapter 20 of the SiteScope deployment guide.
It is not unusual for HPE to provide workarounds for SiteScope's vulnerabilities instead of patches, but this seriously threatens the cybersecurity of its users.