Security News > 2020 > October > HP Device Manager vulnerabilities may allow full system takeover

HP Device Manager vulnerabilities may allow full system takeover
2020-10-07 12:52

Three vulnerabilities affecting HP Device Manager, an application for remote management of HP Thin Client devices, could be chained together to achieve unauthenticated remote command execution as SYSTEM, security researcher Nick Bloor has found.

HP Device Manager allows IT admins to remotely deploy, update, and manage thousands of HP Thin Clients through a single console.

The three vulnerabilities discovered by Bloor "May allow locally managed accounts within HP Device Manager to be susceptible to dictionary attacks due to weak cipher implementation and allow a malicious actor to remotely gain unauthorized access to resources, and/or allow a malicious actor to gain SYSTEM privileges."

HP has provided a security update for the HP Device Manager 5.0.x branch - HPDM v5.0.4 - and will include the fixes for the 4.x branch in HP Device Manager 4.7 Service Pack 13.

Removing the dm postgres account from the Postgres database; or updating the dm postgres account password within HP Device Manager Configuration Manager; or.


News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/kCgVN3mMkSw/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
HP 8977 150 760 535 680 2125