Hewlett-Packard Intelligent Management Center CommonUtils Static DES/ECB Decryption Key Vulnerability

2013-10-16T00:00:00
ID ZDI-13-241
Type zdi
Reporter Andrea Micalizzi aka rgod
Modified 2013-11-09T00:00:00

Description

This vulnerability allows remote attackers to obtain sensitive information on vulnerable installations of Hewlett-Packard Intelligent Management Center. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the CommonUtil class. This application uses a static key and the DES algorithm in ECB mode to store Administrator credentials. A remote attacker can use this vulnerability in conjunction with other vulnerabilities to disclose administrative credentials and possibly leverage this situation to achieve remote code execution.