Lucene search

K
nessusThis script is Copyright (C) 2012-2022 Tenable Network Security, Inc.HPSMH_7_0_0_24.NASL
HistoryApr 20, 2012 - 12:00 a.m.

HP System Management Homepage < 7.0 Multiple Vulnerabilities

2012-04-2000:00:00
This script is Copyright (C) 2012-2022 Tenable Network Security, Inc.
www.tenable.com
112

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.974

Percentile

99.9%

According to the web server’s banner, the version of HP System Management Homepage (SMH) hosted on the remote host is earlier than 7.0. As such, it is reportedly affected by the following vulnerabilities :

  • An error exists in the β€˜generate-id’ function in the bundled libxslt library that can allow disclosure of heap memory addresses. (CVE-2011-0195)

  • An unspecified input validation error exists and can allow cross-site request forgery attacks. (CVE-2011-3846)

  • Unspecified errors can allow attackers to carry out denial of service attacks via unspecified vectors.
    (CVE-2012-0135, CVE-2012-1993)

  • The bundled version of PHP contains multiple vulnerabilities. (CVE-2010-3436, CVE-2010-4409, CVE-2010-4645, CVE-2011-1148, CVE-2011-1153, CVE-2011-1464, CVE-2011-1467, CVE-2011-1468, CVE-2011-1470, CVE-2011-1471, CVE-2011-1938, CVE-2011-2202, CVE-2011-2483, CVE-2011-3182, CVE-2011-3189, CVE-2011-3267, CVE-2011-3268)

  • The bundled version of Apache contains multiple vulnerabilities. (CVE-2010-1452, CVE-2010-1623, CVE-2010-2068, CVE-2010-2791, CVE-2011-0419, CVE-2011-1928, CVE-2011-3192, CVE-2011-3348, CVE-2011-3368, CVE-2011-3639)

  • OpenSSL libraries are contained in several of the bundled components and contain multiple vulnerabilities.
    (CVE-2011-0014, CVE-2011-1468, CVE-2011-1945, CVE-2011-3207,CVE-2011-3210)

  • Curl libraries are contained in several of the bundled components and contain multiple vulnerabilities.
    (CVE-2009-0037, CVE-2010-0734, CVE-2011-2192)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(58811);
  script_version("1.27");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id(
    "CVE-2009-0037",
    "CVE-2010-0734",
    "CVE-2010-1452",
    "CVE-2010-1623",
    "CVE-2010-2068",
    "CVE-2010-2791",
    "CVE-2010-3436",
    "CVE-2010-4409",
    "CVE-2010-4645",
    "CVE-2011-0014",
    "CVE-2011-0195",
    "CVE-2011-0419",
    "CVE-2011-1148",
    "CVE-2011-1153",
    "CVE-2011-1464",
    "CVE-2011-1467",
    "CVE-2011-1468",
    "CVE-2011-1470",
    "CVE-2011-1471",
    "CVE-2011-1928",
    "CVE-2011-1938",
    "CVE-2011-1945",
    "CVE-2011-2192",
    "CVE-2011-2202",
    "CVE-2011-2483",
    "CVE-2011-3182",
    "CVE-2011-3189",
    "CVE-2011-3192",
    "CVE-2011-3207",
    "CVE-2011-3210",
    "CVE-2011-3267",
    "CVE-2011-3268",
    "CVE-2011-3348",
    "CVE-2011-3368",
    "CVE-2011-3639",
    "CVE-2011-3846",
    "CVE-2012-0135",
    "CVE-2012-1993"
  );
  script_bugtraq_id(
    33962,
    38162,
    40827,
    41963,
    42102,
    43673,
    44723,
    45119,
    45668,
    46264,
    46843,
    46854,
    46968,
    46969,
    46975,
    46977,
    47668,
    47820,
    47888,
    47929,
    47950,
    48259,
    48434,
    49241,
    49249,
    49303,
    49376,
    49469,
    49471,
    49616,
    49957,
    52974,
    53121
  );

  script_name(english:"HP System Management Homepage < 7.0 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to the web server's banner, the version of HP System
Management Homepage (SMH) hosted on the remote host is earlier than
7.0.  As such, it is reportedly affected by the following
vulnerabilities :

 - An error exists in the 'generate-id' function in the
   bundled libxslt library that can allow disclosure of
   heap memory addresses. (CVE-2011-0195)

 - An unspecified input validation error exists and can
   allow cross-site request forgery attacks. (CVE-2011-3846)

 - Unspecified errors can allow attackers to carry out 
   denial of service attacks via unspecified vectors.
   (CVE-2012-0135, CVE-2012-1993)

 - The bundled version of PHP contains multiple
   vulnerabilities. (CVE-2010-3436, CVE-2010-4409,
   CVE-2010-4645, CVE-2011-1148, CVE-2011-1153,
   CVE-2011-1464, CVE-2011-1467, CVE-2011-1468,
   CVE-2011-1470, CVE-2011-1471, CVE-2011-1938,
   CVE-2011-2202, CVE-2011-2483, CVE-2011-3182,
   CVE-2011-3189, CVE-2011-3267, CVE-2011-3268)

 - The bundled version of Apache contains multiple
   vulnerabilities. (CVE-2010-1452, CVE-2010-1623,
   CVE-2010-2068,  CVE-2010-2791, CVE-2011-0419,
   CVE-2011-1928, CVE-2011-3192, CVE-2011-3348,
   CVE-2011-3368, CVE-2011-3639)

 - OpenSSL libraries are contained in several of the
   bundled components and contain multiple vulnerabilities.
   (CVE-2011-0014, CVE-2011-1468, CVE-2011-1945,
   CVE-2011-3207,CVE-2011-3210)

 - Curl libraries are contained in several of the bundled
   components and contain multiple vulnerabilities.
   (CVE-2009-0037, CVE-2010-0734, CVE-2011-2192)");
  # http://web.archive.org/web/20130916143957/http://h20000.www2.hp.com:80/bizsupport/TechSupport/Document.jsp?objectID=c03280632
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?106ec533");
  script_set_attribute(attribute:"solution", value:
"Upgrade to HP System Management Homepage 7.0 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"exploit_framework_exploithub", value:"true");
  script_set_attribute(attribute:"exploithub_sku", value:"EH-14-410");
  script_cwe_id(352);

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/04/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/04/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/04/20");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:system_management_homepage");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2012-2022 Tenable Network Security, Inc.");

  script_dependencies("compaq_wbem_detect.nasl");
  script_require_keys("www/hp_smh");
  script_require_ports("Services/www", 2301, 2381);

  exit(0);
}


include("global_settings.inc");
include("audit.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");


port    = get_http_port(default:2381, embedded:TRUE);
install = get_install_from_kb(appname:'hp_smh', port:port, exit_on_fail:TRUE);
dir     = install['dir'];
version = install['ver'];
prod    = get_kb_item_or_exit("www/"+port+"/hp_smh/variant");

if (version == UNKNOWN_VER) 
  exit(1, 'The version of '+prod+' installed at '+build_url(port:port, qs:dir+"/")+' is unknown.');

# nb: 'version' can have non-numeric characters in it so we'll create 
#     an alternate form and make sure that's safe for use in 'ver_compare()'.
version_alt = ereg_replace(pattern:"[_-]", replace:".", string:version);
if (!ereg(pattern:"^[0-9][0-9.]+$", string:version_alt))
  exit(1, 'The version of '+prod+' installed at '+build_url(port:port, qs:dir+"/")+' does not look valid ('+version+').');

fixed_version = '7.0.0.24';
if (ver_compare(ver:version_alt, fix:fixed_version, strict:FALSE) == -1)
{
  set_kb_item(name:'www/'+port+'/XSS', value:TRUE);
  set_kb_item(name:'www/'+port+'/XSRF', value:TRUE);
  if (report_verbosity > 0)
  {
    source_line = get_kb_item("www/"+port+"/hp_smh/source");

    report = '\n  Product           : ' + prod;
    if (!isnull(source_line)) 
      report += '\n  Version source    : ' + source_line;
    report += 
      '\n  Installed version : ' + version +
      '\n  Fixed version     : ' + fixed_version + '\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);

  exit(0);
}
else audit(AUDIT_LISTEN_NOT_VULN, prod, port, version);
VendorProductVersionCPE
hpsystem_management_homepagecpe:/a:hp:system_management_homepage

References

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.974

Percentile

99.9%