Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

           HP Virtual SAN appliance root shell command injection
                              21 August 2012


        AusCERT Security Bulletin Summary

Product:           HP Virtual SAN
Publisher:         US-CERT
Operating System:  Network Appliance
Impact/Access:     Root Compromise -- Existing Account
Resolution:        Mitigation
CVE Names:         CVE-2012-4362 CVE-2012-4361 CVE-2012-2986

Original Bulletin: 

Comment: There is currently no patch to correct this issue, therefore it is
         recommended that administrators should only allow connections from
         trusted hosts and networks.

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability Note VU#441363
HP Virtual SAN appliance root shell command injection

Original Release date: 17 Aug 2012 | Last revised: 17 Aug 2012


The HP Virtual SAN appliance version 9.5 is susceptible to a root shell command 
injection (CWE-77) vulnerability.


Tenable Network Security has reported that HP's fix for the command injection 
vulnerability, EDB-ID 18893, was incomplete. The ping command for the appliance 
has a total of four parameters. The initial fix has only sanitized the input 
for one of the four parameters. Command injection is still possible against the 
other three parameters.


An authenticated attacker can run arbitrary commands on the appliance.


We are currently unaware of a practical solution to this problem. Please 
consider the following workarounds.

Restrict access

As a general good security practice, only allow connections from trusted hosts 
and networks. Restricting access would prevent an attacker from accessing an HP 
Virtual SAN appliance using stolen credentials from a blocked network location.

Vendor Information (Learn More)

Vendor			Status		Date Notified	Date Updated
Hewlett-Packard Company	Affected	10 Jul 2012	17 Aug 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group 		Score 	Vector
Base 		7.7 	AV:A/AC:L/Au:S/C:C/I:C/A:C
Temporal 	6.2 	E:POC/RL:U/RC:UC
Environmental 	6.2 	CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND




Thanks to Tenable Network Security for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

    CVE IDs: CVE-2012-2986
    Date Public: 17 Aug 2012
    Date First Published: 17 Aug 2012
    Date Last Updated: 17 Aug 2012
    Document Revision: 15


If you have feedback, comments, or additional information about this 
vulnerability, please send us email.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967