Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:895524
HistorySep 24, 2013 - 12:00 a.m.

HP System Management Homepage vulnerable to a denial-of-service condition

2013-09-2400:00:00
www.kb.cert.org
15

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

54.5%

JSON

Overview

HP System Management Homepage 7.2.0.14 and possibly earlier versions contain a denial-of-service vulnerability (CWE-121).

Description

CWE-121: Stack-based Buffer Overflow

HP System Management Homepage 7.2.0.14 contains a denial-of-service vulnerability. The remote attacker may send the listener service a malformed request using the iprange parameter in /proxy/DataValidation. One of the listener child processes will then crash with that request value, overwriting EIP and corrupting the stack, resulting in a denial-of-service condition.

Impact

A remote attacker may be able to cause a denial-of-service condition against the HP System Management Homepage software.

Solution

HP has made System Management Homepage (SMH) v7.2.1 available for Windows and Linux to resolve the vulnerabilities. In the event that updating is not possible, the following workaround is also available.

Limit Access
Anonymous access is required for this attack to take place. Disabling this feature via the administration page will render the attacker unable to send this request without having proper authentication credentials.

Vendor Information

895524

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Hewlett-Packard Company Affected

Notified: June 28, 2013 Updated: September 20, 2013

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 5.6 AV:N/AC:H/Au:S/C:N/I:P/A:C
Temporal 4.4 E:POC/RL:OF/RC:C
Environmental 3.3 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to the reporter that wishes to remain anonymous.

This document was written by Adam Rauf.

Other Information

CVE IDs: CVE-2013-4821
Date Public: 2013-09-18 Date First Published:

Related

prion 1
cve 1
securityvulns 2
openvas 1
nessus 1
prion
prion
Code injection
2013-09-23 10:18:00
cve
cve
CVE-2013-4821
2013-09-23 10:18:00
securityvulns
securityvulns
[security bulletin] HPSBMU02900 rev.3 - HP System Management Homepage (SMH) running on Linux and Windows, Multiple Remote and Local Vulnerabilities
2013-10-02 00:00:00
HP System Management Homepage multiple security vulnerabilities
2013-10-02 00:00:00
openvas
openvas
HP/HPE System Management Homepage (SMH) Multiple Vulnerabilities (HPSBMU02900)
2013-07-30 00:00:00
nessus
nessus
HP System Management Homepage < 7.2.1.0 Multiple Vulnerabilities (BEAST)
2013-07-23 00:00:00

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

54.5%

JSON
Related for VU:895524
prion1cve1securityvulns2openvas1nessus1