Bugs in HP Insight Diagnostics

Monday, June 10, 2013 @ 05:06 PM gHale

HP is working on a fix for the multiple vulnerabilities in the Insight Diagnostics server management tool where an attacker could exploit them to run code and let them take over an infected computer.

Two flaws are in the vulnerability note: CVE-2013-3574, External Control of File Name or Path and CVE-2013-3573, Improper Neutralization of Special Elements in Output Used by a Downstream Component Injection.

A third, something US-CERT is calling Improper Control of Filename for Include/Require Statement in PHP Program, or CVE-2013-3575, is also vulnerable.

Vulnerability Accidentally Disclosed
Google Gives 7-Day Patch Period
DHS Software Possibly Leaked Data
Port Scans Find Insecure Devices

When all of the vulnerabilities combine, an attacker could remotely execute arbitrary PHP commands on a server with administrator privileges. When only the first two combine, it grants an attacker the ability to inject arbitrary data into a file stored in an arbitrary location using the “devicePath” parameter.

According to CERT, Markus Wulftange, a security consultant at the German IT firm Daimler TSS found the bugs.

Intended for small and medium businesses, HP’s Insight Diagnostics is a Web-based tool that lets IT administrators troubleshoot and repair problems on Windows and Linux-based machines. If the past is any indication, HP usually sends email updates to customers when patches release for their products.

Leave a Reply

You must be logged in to post a comment.