HP released a security advisory that includes details for three critical and high severity vulnerabilities, tracked as CVE-2020-6925, CVE-2020-6926, and CVE-2020-6927, that impact the HP Device Manager.
The IT giant revealed that an attacker could exploit the vulnerabilities to take over Windows systems.
The HP Device Manager allows administrators to remotely manage HP thin clients.
The vulnerabilities have been reported to HP by the infosec researchers Nick Bloor, an attacker could chain the three issues to achieve SYSTEM privileges on targeted devices and potentially take over them.
“Potential vulnerabilities have been identified with certain versions of HP Device Manager.” reads the HP’s advisory. “These vulnerabilities may allow locally managed accounts within Device Manager to be susceptible to dictionary attacks due to weak cipher implementation (CVE-2020-6925) and allow a malicious actor to remotely gain unauthorized access to resources (CVE-2020-6926), and/or allow a malicious actor to gain SYSTEM privileges (CVE-2020-6927).”
|CVE ID||Potential Vulnerability||Impacted Version||CVSS 3.0 Base Score|
|CVE-2020-6925||Weak Cipher||All versions of HP Device Manager||7.0|
|CVE-2020-6926||Remote Method Invocation||All versions of Device Manager||9.9|
|CVE-2020-6927||Elevation of Privilege||HP Device Manager 5.0.0 to 5.0.3||8.0|
The flaws could allow attackers to carry out multiple malicious actions, such as perform dictionary attacks, gain unauthorized remote access to resources, and elevate privilege.
The first vulnerability, tracked as CVE-2020-6925, is related to the use of weak cipher implementation and exposes locally Device Manager managed accounts to dictionary attacks. The issue does not impact customers who use Active Directory authenticated accounts.
The second flaw, tracked as CVE-2020-6926, is a remote method invocation flaw that could be exploited by remote attackers to gain unauthorized access to resources.
The last issue, tracked as CVE-2020-6927, could allow remote attackers to gain SYSTEM privileges by exploiting a backdoor database user account, using a space as a password, in the PostgreSQL database.
This vulnerability doesn’t impact HP customers using an external database (Microsoft SQL Server) and that have not installed the integrated Postgres service.
Unfortunately, HP hasn’t yet released security updates to address the CVE-2020-6925 and CVE-2020-6926 security issues, while the CVE-2020-6927 has been fixed with the release of Device Manager 5.0.4.
However, the company provides customers with remediation steps that should at least partially mitigate the security risks.
HP also released the following list of mitigations for the above issues:
(SecurityAffairs – hacking, HP)