Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0793
HP Virtual SAN appliance root shell command injection
21 August 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: HP Virtual SAN
Publisher: US-CERT
Operating System: Network Appliance
Impact/Access: Root Compromise -- Existing Account
Resolution: Mitigation
CVE Names: CVE-2012-4362 CVE-2012-4361 CVE-2012-2986
Original Bulletin:
http://www.kb.cert.org/vuls/id/441363
Comment: There is currently no patch to correct this issue, therefore it is
recommended that administrators should only allow connections from
trusted hosts and networks.
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability Note VU#441363
HP Virtual SAN appliance root shell command injection
Original Release date: 17 Aug 2012 | Last revised: 17 Aug 2012
Overview
The HP Virtual SAN appliance version 9.5 is susceptible to a root shell command
injection (CWE-77) vulnerability.
Description
Tenable Network Security has reported that HP's fix for the command injection
vulnerability, EDB-ID 18893, was incomplete. The ping command for the appliance
has a total of four parameters. The initial fix has only sanitized the input
for one of the four parameters. Command injection is still possible against the
other three parameters.
Impact
An authenticated attacker can run arbitrary commands on the appliance.
Solution
We are currently unaware of a practical solution to this problem. Please
consider the following workarounds.
Restrict access
As a general good security practice, only allow connections from trusted hosts
and networks. Restricting access would prevent an attacker from accessing an HP
Virtual SAN appliance using stolen credentials from a blocked network location.
Vendor Information (Learn More)
Vendor Status Date Notified Date Updated
Hewlett-Packard Company Affected 10 Jul 2012 17 Aug 2012
If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
Group Score Vector
Base 7.7 AV:A/AC:L/Au:S/C:C/I:C/A:C
Temporal 6.2 E:POC/RL:U/RC:UC
Environmental 6.2 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
References
http://cwe.mitre.org/data/definitions/77.html
http://www.exploit-db.com/exploits/18893/
Credit
Thanks to Tenable Network Security for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
CVE IDs: CVE-2012-2986
Date Public: 17 Aug 2012
Date First Published: 17 Aug 2012
Date Last Updated: 17 Aug 2012
Document Revision: 15
Feedback
If you have feedback, comments, or additional information about this
vulnerability, please send us email.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUDLrv+4yVqjM2NGpAQINZw//QVra7clfAOKeEL4cJ6YafuuukB/V4fPV
AgE/S2rPAKKxereY5j9z9MN1QwSoixy1fbhlQekAP/T0qMwM+lHmszPI1AikN6P2
aH9c/6USonpOYvowBUUQBDJDQADA+DSGHWVErjCNyHwBVgrQq2z9U/UUm3VkOK4+
zMSYgoAHLmcA9NAuuuT2CZKqUJ0cNuNECIV+LnXcwtQQvP467rlFG+4bPRqbLqCn
9ZpFhztlzUlSXfpDszAnKbdXJ6QJMpuJrhhdKKXOEfe20NtzzV1Tj/HVSA80m4Zw
TTC8cGpKVxUdID270XrgzJlI3dQcve0ycBYpVyEDmbOhH4WN3YlK6Qdr5vZNf/hS
wwTiOYXB5LtqjyRJDX7m1Sh/cXxYln+idZnaxhTPoMJnKBHfBf7n5CyV0l6syAsO
Q8//ExIvmo8xCDtY69ruZZ8l/YG5kTN/08bDOXFxxDdFq0HU5tzFUUCerfvXF6Uf
7kVLeRfJxx4vxC4q3gn9kyqDvjWqhlQK+NS3zJpdHJ7PCCh9s0/+6KnOmZ6jlJkk
O6CwQTqNOdHU1pTk8ByT55WsEkSGE66RArBo0fDcj9pCuBKhHbbQT1sjqjwf2WvW
9bQGGl9cLZfucSf3t3pk7NLneuNjKVi9GLxLjtmkQiM8t6z3mjIqp4y3/Qy43iNo
uf9XTu/AtsE=
=CGHK
-----END PGP SIGNATURE-----