HP released a security bulletin on Sept. 25, 2020, disclosing a set of vulnerabilities in HP Device Manager that—when some are chained together—can result in a remote attacker gaining
SYSTEM privileges on the target node.
Note: A backdoor database user exists in the PostgreSQL database used by HP Device Manager. Organizations are strongly encouraged to set a different, strong password for the
hpdmdb PostgreSQL user.
CVE-2020-6925 identifies a weak cipher in HP Device Manager that does not impact customers who are using Active Directory authenticated accounts.
CVE-2020-6926 is a remote method invocation vulnerability in all versions of HP Device Manager that enables remote, unauthenticated attackers to gain access to resources. It is the most severe of the three vulnerabilities.
CVE-2020-6927 is an elevation of privilege weakness that impacts HP Device Manager 5.0.0 through 5.0.3. When used in a chain, this enables remote attackers to gain
Organizations running instances of HP Device Manager are strongly encouraged to apply HP’s suggested mitigations to these systems immediately:
dm_postgresaccount from the Postgres database; or
dm_postgresaccount password within HP Device Manager Configuration Manager; or
HP hasn’t clarified which CVEs are the “some” that can be chained to enable remote code execution, but Rapid7 researchers confirmed early in an ongoing exploitability investigation that there is unauthenticated remote code execution (RCE) via TCP ports 1099 and 40002, and that an attacker can use the PostgreSQL privilege escalation to obtain SYSTEM-level access.
We are not aware of any public proofs-of-concept (PoCs) or exploits as of Oct. 2, 2020. That said, our initial investigation indicates that CVEs 2020-6926 and 2020-6927 are relatively simple to exploit remotely. We would put these CVEs in the impending threat category as a result of the vulnerabilitys' severity and predicted ease of exploitation. We’ll update this analysis with further technical details as we continue to verify vulnerability details and test attack scenarios.