Lucene search

K
nessusThis script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.HPSMH_7_1_1_1.NASL
HistoryJul 05, 2012 - 12:00 a.m.

HP System Management Homepage < 7.1.1 Multiple Vulnerabilities

2012-07-0500:00:00
This script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
243

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.9%

According to the web server’s banner, the version of HP System Management Homepage (SMH) hosted on the remote host is earlier than 7.1.1 and is, therefore, reportedly affected by the following vulnerabilities :

  • The bundled version of the libxml2 library contains multiple vulnerabilities. (CVE-2011-1944, CVE-2011-2821, CVE-2011-2834)

  • The bundled version of PHP contains multiple vulnerabilities. (CVE-2011-3379, CVE-2011-4153, CVE-2011-4885, CVE-2012-1823, CVE-2012-0057, CVE-2012-0830)

  • The bundled version of the Apache HTTP Server contains multiple vulnerabilities. (CVE-2011-3607, CVE-2011-4317, CVE-2011-4415, CVE-2012-0021, CVE-2012-0031, CVE-2012-0053)

  • An issue exists in the ‘include/iniset.php’ script in the embedded RoundCube Webmail version that could lead to a denial of service. (CVE-2011-4078)

  • The bundled version of OpenSSL contains multiple vulnerabilities. (CVE-2011-4108, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, CVE-2012-0027, CVE-2012-1165)

  • The bundled version of curl and libcurl does not properly consider special characters during extraction of a pathname from a URL. (CVE-2012-0036)

  • An off autocomplete attribute does not exist for unspecified form fields, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. (CVE-2012-2012)

  • An unspecified vulnerability exists that could allow a remote attacker to cause a denial of service, or possibly obtain sensitive information or modify data.
    (CVE-2012-2013)

  • An unspecified vulnerability exists related to improper input validation. (CVE-2012-2014)

  • An unspecified vulnerability allows remote, unauthenticated users to gain privileges and obtain sensitive information. (CVE-2012-2015)

  • An unspecified vulnerability allows local users to obtain sensitive information via unknown vectors.
    (CVE-2012-2016)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(59851);
  script_version("1.22");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id(
    "CVE-2011-1944",
    "CVE-2011-2821",
    "CVE-2011-2834",
    "CVE-2011-3379",
    "CVE-2011-3607",
    "CVE-2011-4078",
    "CVE-2011-4108",
    "CVE-2011-4153",
    "CVE-2011-4317",
    "CVE-2011-4415",
    "CVE-2011-4576",
    "CVE-2011-4577",
    "CVE-2011-4619",
    "CVE-2011-4885",
    "CVE-2012-0021",
    "CVE-2012-0027",
    "CVE-2012-0031",
    "CVE-2012-0036",
    "CVE-2012-0053",
    "CVE-2012-0057",
    "CVE-2012-0830",
    "CVE-2012-1165",
    "CVE-2012-1823",
    "CVE-2012-2012",
    "CVE-2012-2013",
    "CVE-2012-2014",
    "CVE-2012-2015",
    "CVE-2012-2016"
  );
  script_bugtraq_id(
    48056,
    49754,
    50402,
    50494,
    50639,
    50802,
    51193,
    51281,
    51407,
    51417,
    51665,
    51705,
    51706,
    51806,
    51830,
    52764,
    53388,
    54218
  );
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/15");

  script_name(english:"HP System Management Homepage < 7.1.1 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to the web server's banner, the version of HP System
Management Homepage (SMH) hosted on the remote host is earlier than
7.1.1 and is, therefore, reportedly affected by the following
vulnerabilities :

  - The bundled version of the libxml2 library contains
    multiple vulnerabilities. (CVE-2011-1944, CVE-2011-2821,
    CVE-2011-2834)

  - The bundled version of PHP contains multiple
    vulnerabilities. (CVE-2011-3379, CVE-2011-4153, 
    CVE-2011-4885, CVE-2012-1823, CVE-2012-0057, 
    CVE-2012-0830)

  - The bundled version of the Apache HTTP Server contains
    multiple vulnerabilities. (CVE-2011-3607, CVE-2011-4317,
    CVE-2011-4415, CVE-2012-0021, CVE-2012-0031, 
    CVE-2012-0053)

  - An issue exists in the 'include/iniset.php' script in
    the embedded RoundCube Webmail version that could lead
    to a denial of service. (CVE-2011-4078)

  - The bundled version of OpenSSL contains multiple 
    vulnerabilities. (CVE-2011-4108, CVE-2011-4576,
    CVE-2011-4577, CVE-2011-4619, CVE-2012-0027,
    CVE-2012-1165)

  - The bundled version of curl and libcurl does not 
    properly consider special characters during extraction
    of a pathname from a URL. (CVE-2012-0036)
    
  - An off autocomplete attribute does not exist for 
    unspecified form fields, which makes it easier for 
    remote attackers to obtain access by leveraging an
    unattended workstation. (CVE-2012-2012)

  - An unspecified vulnerability exists that could allow a
    remote attacker to cause a denial of service, or
    possibly obtain sensitive information or modify data.
    (CVE-2012-2013)

  - An unspecified vulnerability exists related to improper
    input validation. (CVE-2012-2014)

  - An unspecified vulnerability allows remote, 
    unauthenticated users to gain privileges and obtain 
    sensitive information. (CVE-2012-2015)

  - An unspecified vulnerability allows local users to
    obtain sensitive information via unknown vectors.
    (CVE-2012-2016)");
  # http://web.archive.org/web/20130927061716/http://h20000.www2.hp.com:80/bizsupport/TechSupport/Document.jsp?objectID=c03360041
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d07467b6");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/523320/30/0/threaded");
  script_set_attribute(attribute:"solution", value:
"Upgrade to HP System Management Homepage 7.1.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-2012");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'PHP CGI Argument Injection');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/04/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/03/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/07/05");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:system_management_homepage");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("compaq_wbem_detect.nasl");
  script_require_keys("www/hp_smh");
  script_require_ports("Services/www", 2301, 2381);

  exit(0);
}


include("global_settings.inc");
include("audit.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");


port    = get_http_port(default:2381, embedded:TRUE);
install = get_install_from_kb(appname:'hp_smh', port:port, exit_on_fail:TRUE);
dir     = install['dir'];
version = install['ver'];
prod    = get_kb_item_or_exit("www/"+port+"/hp_smh/variant");

if (version == UNKNOWN_VER) 
  exit(1, 'The version of '+prod+' installed at '+build_url(port:port, qs:dir+"/")+' is unknown.');

# nb: 'version' can have non-numeric characters in it so we'll create 
#     an alternate form and make sure that's safe for use in 'ver_compare()'.
version_alt = ereg_replace(pattern:"[_-]", replace:".", string:version);
if (!ereg(pattern:"^[0-9][0-9.]+$", string:version_alt))
  exit(1, 'The version of '+prod+' installed at '+build_url(port:port, qs:dir+"/")+' does not look valid ('+version+').');

fixed_version = '7.1.1.1';
if (ver_compare(ver:version_alt, fix:fixed_version, strict:FALSE) == -1)
{
  if (report_verbosity > 0)
  {
    source_line = get_kb_item("www/"+port+"/hp_smh/source");

    report = '\n  Product           : ' + prod;
    if (!isnull(source_line)) 
      report += '\n  Version source    : ' + source_line;
    report += 
      '\n  Installed version : ' + version +
      '\n  Fixed version     : ' + fixed_version + '\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);

  exit(0);
}
else audit(AUDIT_LISTEN_NOT_VULN, prod, port, version);
VendorProductVersionCPE
hpsystem_management_homepagecpe:/a:hp:system_management_homepage

References

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.9%