Plugin Spotlight: HP DDMI Remote System Access
Traditional buffer overflow vulnerabilities require specific conditions to be met on the system, payload to be written for the target platform and an exploit smart enough to get around system execution protections in memory. Some of the most dangerous exploits rely on vulnerabilities that can be triggered in a varying number of conditions and circumstances. A far more reliable approach is to take over a process or manipulate a protocol to gain access to the system that does not require that a buffer overflow vulnerability be present.
This brings us to the HP Discovery & Dependency Mapping Inventory (DDMI) agent, which runs on a variety of platforms, including Windows and Linux, to provide central inventory management. HP's DDMI agent contains a flaw that allows an attacker to connect to it without credentials and manage the agent. The agent fails to check for a valid SSL certificate from managing DDMI servers, which means anyone can pretend to be the server and control the agent, providing the ability to:
- Disclose sensitive information about installed software
- Read the contents of arbitrary files
- Launch arbitrary processes with SYSTEM privileges
The last item clearly presents the most risk as it gives control of the system to anyone on the network that can pretend to be a DDMI server. The agents accept commands via Simple Object Access Protocol (SOAP); example requests are included in the plugin output:
| NOTE: You must also go into the "Advanced" tab in the Nessus client, under "Global variable settings" and click on the "Enable CGI scanning" checkbox in order for this plugin to execute. |
Nessus will create the appropriate SOAP request, and if "Safe Checks" are disabled, run a command on the remote host. On Windows, Nessus will run the "ipconfig" command, and on Linux systems, the "id" command will be run. The nature of the vulnerability makes it difficult to return the output of the command, so it is saved as a file on the target system:
If "Safe Checks" is enabled, Nessus will download a file from the target system.
HP has given this a CVSS score of 4.0, however Nessus ranks this vulnerability with a CVSS score of 10.0, a much more critical ranking. The reason is that this could present serious risk, especially for an organization that has this widely deployed to several thousand desktops. A fix is available from HP, patch number HPED_00306 (for DDMI version 7.5x) / HPED_00304 (for version 2.5x) so be certain to patch your systems.
References
Related Articles
Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog
October 23, 2023Tenable ranked first in multiple vulnerability management categories, including the most comprehensive coverage and quickest detection of CISA's Known Exploited Vulnerabilities, according to a Miercom report commissioned by Tenable.
Tuning Network Assessments for Performance and Resource Usage
September 13, 2022Using the correct tool for the job and optimizing scanner placement will have a large impact on scan efficiency with Nessus, Tenable.io and Tenable.sc.
Terrascan Joins the Nessus Community, Enabling Nessus To Validate Modern Cloud Infrastructures
May 17, 2022The addition of Terrascan to the Nessus family of products helps users better secure cloud native infrastructure by identifying misconfigurations, security weaknesses, and policy violations by scanning Infrastructure as Code repositories.
Cybersecurity Snapshot: Many Employees Overshare Work Info with AI Tools, Report Finds, as ‘Cybersecurity Awareness Month’ Kicks Off
October 4, 2024Check out the best practices cyber agencies are promoting during Cybersecurity Awareness Month, as a report warns that staffers are feeding confidential info to AI tools. Meanwhile, a study highlights how business decisions can derail OT security. Plus, get the latest on Active Directory security, CISO salary trends and ransomware attacks!
How to Unlock Advanced IoT Visibility for Cyber-Physical Systems
October 1, 2024As the number of IoT devices deployed globally continues to rise, cyber-physical systems and business operations are exposed to greater risk. Improving asset visibility, monitoring and risk management are critical steps to preventing breaches.
Cybersecurity Snapshot: NIST Program Probes AI Cyber and Privacy Risks, as U.S. Gov’t Tackles Automotive IoT Threat from Russia, China
September 27, 2024A new NIST program will revise security frameworks like NIST’s CSF as AI risks intensify. Plus, the U.S. may ban cars with Russian and Chinese IoT components. Meanwhile, the CSA adds AI insights to its zero trust guide. And get the latest on cybersecurity budgets, SBOMs and the Ghost cybercrime platform!
- Nessus