Security News > 2020 > September > FYI: If you're running HP Device Manager, anyone on your network can get admin on your server via backdoor

FYI: If you're running HP Device Manager, anyone on your network can get admin on your server via backdoor
2020-09-30 08:32

HP Device Manager, software that allows IT administrators to manage HP Thin Client devices, comes with a backdoor database user account that undermines network security, a UK-based consultant has warned.

Nicky Bloor, founder of Cognitous Cyber Security, reports that an HP Inc programmer appears to have set up an insecure user account in a database within HP Device Manager.

Anyone with access to a server where HP Device Manager is installed could use this user account to gain complete control over the server.

PSA: Do you or your clients use HP thin clients and manage them with HP Device Manager? I strongly advise you, firstly, to log on to all servers running HP Device Manager and set a strong password for the "Dm postgres" user of the "Hpdmdb" Postgres database on TCP port 40006 1/4. - Nicky Bloor September 29, 2020.

Sysadmins are urged to update to HP Device Manager 5.0.4, or HP Device Manager 4.7 Service Pack 13 when it is available, to address the vulnerabilities.


News URL

https://go.theregister.com/feed/www.theregister.com/2020/09/30/hp_device_manager_backdoor_account/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
HP 6795 19 248 488 234 989