Plugin Spotlight: HP DDMI Remote System Access
Traditional buffer overflow vulnerabilities require specific conditions to be met on the system, payload to be written for the target platform and an exploit smart enough to get around system execution protections in memory. Some of the most dangerous exploits rely on vulnerabilities that can be triggered in a varying number of conditions and circumstances. A far more reliable approach is to take over a process or manipulate a protocol to gain access to the system that does not require that a buffer overflow vulnerability be present.
This brings us to the HP Discovery & Dependency Mapping Inventory (DDMI) agent, which runs on a variety of platforms, including Windows and Linux, to provide central inventory management. HP's DDMI agent contains a flaw that allows an attacker to connect to it without credentials and manage the agent. The agent fails to check for a valid SSL certificate from managing DDMI servers, which means anyone can pretend to be the server and control the agent, providing the ability to:
- Disclose sensitive information about installed software
- Read the contents of arbitrary files
- Launch arbitrary processes with SYSTEM privileges
The last item clearly presents the most risk as it gives control of the system to anyone on the network that can pretend to be a DDMI server. The agents accept commands via Simple Object Access Protocol (SOAP); example requests are included in the plugin output:
| NOTE: You must also go into the "Advanced" tab in the Nessus client, under "Global variable settings" and click on the "Enable CGI scanning" checkbox in order for this plugin to execute. |
Nessus will create the appropriate SOAP request, and if "Safe Checks" are disabled, run a command on the remote host. On Windows, Nessus will run the "ipconfig" command, and on Linux systems, the "id" command will be run. The nature of the vulnerability makes it difficult to return the output of the command, so it is saved as a file on the target system:
If "Safe Checks" is enabled, Nessus will download a file from the target system.
HP has given this a CVSS score of 4.0, however Nessus ranks this vulnerability with a CVSS score of 10.0, a much more critical ranking. The reason is that this could present serious risk, especially for an organization that has this widely deployed to several thousand desktops. A fix is available from HP, patch number HPED_00306 (for DDMI version 7.5x) / HPED_00304 (for version 2.5x) so be certain to patch your systems.
References
Related Articles
Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog
October 23, 2023Tenable ranked first in multiple vulnerability management categories, including the most comprehensive coverage and quickest detection of CISA's Known Exploited Vulnerabilities, according to a Miercom report commissioned by Tenable.
Tuning Network Assessments for Performance and Resource Usage
September 13, 2022Using the correct tool for the job and optimizing scanner placement will have a large impact on scan efficiency with Nessus, Tenable.io and Tenable.sc.
Terrascan Joins the Nessus Community, Enabling Nessus To Validate Modern Cloud Infrastructures
May 17, 2022The addition of Terrascan to the Nessus family of products helps users better secure cloud native infrastructure by identifying misconfigurations, security weaknesses, and policy violations by scanning Infrastructure as Code repositories.
Cybersecurity Snapshot: Apply Zero Trust to Critical Infrastructure’s OT/ICS, CSA Advises, as Five Eyes Spotlight Tech Startups’ Security
November 1, 2024Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.
FY 2024 State and Local Cybersecurity Grant Program Adds CISA KEV as a Performance Measure
October 31, 2024The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.
Cybersecurity Snapshot: New Guides Offer Best Practices for Preventing Shadow AI and for Deploying Secure Software Updates
October 25, 2024Looking for help with shadow AI? Want to boost your software updates’ safety? New publications offer valuable tips. Plus, learn why GenAI and data security have become top drivers of cyber strategies. And get the latest on the top “no-nos” for software security; the EU’s new cyber law; and CISOs’ communications with boards.
- Nessus