Susceptibility to dictionary attacks, unauthorized remote access to resources, and elevation of privilege.
Source: HP, HP Product Security Response Team (PSRT)
Reported By: Nick Bloor
Potential vulnerabilities have been identified with certain versions of HP Device Manager. These vulnerabilities may allow locally managed accounts within HP Device Manager to be susceptible to dictionary attacks due to weak cipher implementation (CVE-2020-6925) and allow a malicious actor to remotely gain unauthorized access to resources (CVE-2020-6926), and/or allow a malicious actor to gain SYSTEM privileges (CVE-2020-6927).
CVE-2020-6925 does not impact customers who are using Active Directory authenticated accounts.
CVE-2020-6927 does not impact customers who are using an external database (Microsoft SQL Server) and have not installed the integrated Postgres service.
HP is aware of the issues and actively working to provide updates for HP Device Manager. This bulletin will be updated as these updates become available.
In the interim, customers can partially mitigate this issue in any of the following ways:
Limit incoming access to Device Manager ports 1099 and 40002 to trusted IPs or localhost only
Remove the dm_postgres account from the Postgres database; or
Update the dm_postgres account password within HP Device Manager Configuration Manager; or
Within Windows Firewall configuration create an inbound rule to configure the PostgreSQL listening port (40006) for localhost access only.
HP Device Manager 5.0
HP Device Manager 4.7