5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
47.3%
HPE’s SiteScope is vulnerable to several cryptographic issues, insufficiently protected credentials, and missing authentication.
HPE’s SiteScope is vulnerable to several vulnerabilities. The researcher reports that version 11.31.461 is affected; other versions may also be impacted. CERT/CC has not received further information on affected versions from HPE.
CWE-306**: Missing Authentication for Critical Function -**CVE-2017-8952
Previously reported as ZDI-12-176 in 2012, SiteScope version 11.31.461 and possibly other versions do not properly authenticate users before allowing file access. Successful exploits allows attackers to bypass security restrictions and to perform unauthorized actions such as downloading arbitrary files from the system. A Metasploit module hp_sitescope_getfileinternal_access
released in 2012 is confirmed by the reporter to still work against version 11.31.461.
CWE-321**: Use of Hard-coded Cryptographic Key -**CVE-2017-8949
SiteScope version 11.31.461 and possibly other versions contains hardcoded encryption keys in the ss_pu.jar
library allowing attackers to decrypt sensitive data such as the user credentials contained in configuration files.
CWE-327**: Use of a Broken or Risky Cryptographic Algorithm -**CVE-2017-8950
SiteScope version 11.31.461 and possibly other versions in some cases uses custom cryptographic functions (e.g., OldEncryptionHandler
in ss_pu.jar
) to protect sensitive data such as credentials contained in configuration files. For example, the _httpSecureKeyPassword
and _httpSecureKeystorePassword
configuration items located in master.config
are encrypted with the OldEncryptionHandler
in some cases.
CWE-522**: Insufficiently Protected Credentials -**CVE-2017-8951
SiteScope version 11.31.461 and possibly other versions passes credentials stored in Credential Profiles in plaintext back to the client over HTTP.
The researcher has published a blog post about these issues. HPE has also released an advisory as of 2017 June 27.
The CVSS score below is based on hard-coded cryptographic key.
An unauthenticated, remote attacker may be able to access arbitrary files from the system running SiteScope, or obtain credentials to SiteScope.
Apply an update
HPE has released updated and mitigation advice in a security advisory dated 2017 June 27. Affected users are encouraged to apply all available updates and follow HPE’s recommended mitigations.
Disable old APIs
According to HPE, for SiteScope version 11.24 IP7 and onwards, administrators may set an undocumented flag called “_disableOldAPIs=true
” that can be set in the “groups/master.config
” file. Setting this flag will prevent unauthenticated services from being executed.
Enable key management
According to HPE, the hardcoded keys **(**CVE-2017-8949) are used for backward compatibility and obfuscation. For encryption, Key Management can be enabled which will mitigate this vulnerability. For enabling Key Management please refer SiteScope Deployment Guide - Chapter 20: Configuring SiteScope to Use a Custom Key for Data Encryption.
According to HPE, ss_pu.jar
(CVE-2017-8950) contains only obfuscation keys and those keys are not used for encryption. Customizable cryptographic keys are generated during key management. Encryption is done by key management in SiteScope. Please refer SiteScope Deployment Guide - Chapter 20: Configuring SiteScope to Use a Custom Key for Data Encryption.
According to HPE, the CVE-2017-8951 vulnerability is expected to have an update in Q3 2017. The following workarounds may help mitigate these issues.
Require TLS/SSL
Ensure that the system using SiteScope requires TLS/SSL for access to mitigate the insufficiently protected credentials.
Restrict access
Restrict network access to SiteScope systems to trusted and authorized hosts and networks. Separate management networks from general purpose user networks. Do not allow access from untrusted networks such as the internet.
768399
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: April 24, 2017 Updated: June 13, 2017
Statement Date: June 07, 2017
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 7.8 | AV:N/AC:L/Au:N/C:C/I:N/A:N |
Temporal | 7 | E:F/RL:W/RC:C |
Environmental | 5.3 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Richard Kelley for reporting this vulnerability.
This document was written by Garret Wassermann.
CVE IDs: | CVE-2017-8952, CVE-2017-8949, CVE-2017-8950, CVE-2017-8951 |
---|---|
Date Public: | 2017-06-13 Date First Published: |
bytesdarkly.com/disclosures/2017/06/exploiting-hp-sitescope-from-zero-to-compromise.html
cwe.mitre.org/data/definitions/306.html
cwe.mitre.org/data/definitions/321.html
cwe.mitre.org/data/definitions/327.html
cwe.mitre.org/data/definitions/522.html
h20566.www2.hpe.com/hpsc/doc/public/display?docId=hpesbgn03763en_us
www.zerodayinitiative.com/advisories/ZDI-12-176/
www.rapid7.com/db/modules/auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
47.3%