Cognitous Cyber Security experts told The Register about the backdoor and a number of other issues in HP Device Manager, which is designed to manage HP Thin Client devices.
The researchers explain that the developers seem to have forgotten in the HP Device Manager code an unsecured account that could act as a backdoor. What is worse, this account can be used for privilege escalation, and in combination with another bug, to remotely execute commands with SYSTEM privileges.Worse, by examining HP Device Manager with default settings, an expert found that the vulnerability could be exploited remotely, and anyone who could connect to a server running HP Device Manager could gain complete control over that server.
Back in early August, experts tried to notify HP developers about their findings, but at first did not receive a response, and then company representatives asked for the standard 90 days to fix the bug, although they did not confirm that they had studied the vulnerability reports at all, and did not offer any remedial measures for bugs. Finally, Bloor and his team decided not to wait.
Bloor explained that it is not difficult to protect against exploitation of the problem: it is enough to set a strong password for the dm_postgres user of the hpdmdb Postgres database on TCP port 40006 1/4.
HP representatives told The Register that the company acknowledges conclusions of the specialists, and the problems have already been assigned several identifiers: CVE-2020-6925, CVE-2020-6926 and CVE-2020-6927. At the same time, the CVE-2020-6926 vulnerability received 9.9 points out of 10 possible on the CVSS vulnerability rating scale.
The company has already published protective guidelines for its clients.
Administrators are strongly encouraged to upgrade to HP Device Manager 5.0.4 or HP Device Manager 4.7 Service Pack 13 to resolve issues. All versions of HP Device Manager are reported to contain weak encryption and remote dialing vulnerabilities, while versions 5.0.0 through 5.0.3 are also vulnerable to privilege escalation.
Let me remind you that we also talked about the fact that laptops from HP, Dell, Lenovo and other Thunderbolt PCs Can Be Hacked In Less Than 5 Minutes.