Mitigation Plan for Monitoring Tool Hole

Wednesday, October 14, 2015 @ 03:10 PM gHale

There is a vulnerability in HP SiteScope where an attacker could execute arbitrary operating system commands, researchers said.

HP SiteScope is software that monitors the performance and availability of distributed IT infrastructures, including network services and devices, applications, servers, and operating systems, said researchers at Rapid7, which discovered the vulnerability.

Malware Avoids AV Detection
Botnet Protects Against Malware
Botnet Strengthens Attack Capabilities
Security Differences by Industry

An attacker could gain access to SiteScope administration panel by going to :8080/SiteScope/servlet/Main, according to an advisory from Rapid7. While the control panel can end up password protected, users do not have to set a password after installing the product, which means attackers could view default deployments.

Once an attacker gains access to the administration panel, they can execute operating system commands via unsanitized user input fields in the SiteScope DNS Tool.

The DNS Tool allows users to specify a DNS server and a host name to resolve, but since the fields are not sanitized, an attacker can append any operating system command to the information that would normally be entered, researchers said.

Executing these commands is only possible on HP SiteScope installations running on Windows because on this operating system the product requires local system access in order to work properly.

If the admin panel uses password protection, only an authenticated attacker could conduct such an attack.

The vulnerability, identified by Kirk Hayes of Rapid7 and Charles Riggs of Knowledge Consulting Group on June 1, initially ended up reported via HP’s Zero Day Initiative (ZDI) program. After ZDI rejected the issue, vulnerability details went directly to HP July 1, according to Rapid7.

While there doesn’t appear to be a patch for the flaw, SiteScope users can take steps to mitigate the risk. Customers should limit access to SiteScope web services to trusted users with local system access on the machine running the product. Strong passwords should also be set for all SiteScope users.

When running on Windows systems, the product requires local system access, which makes the use of account permissions for the app and individual users inefficient. That is why both HP and Rapid7 advise users to host SiteScope on Linux and configure it to run as a non-root user.