Information security specialists found a hidden backdoor in HP Device Manager

by Emma Davis
October 1, 2020
Backdoor in HP Device Manager
Written by Emma Davis

Cognitous Cyber Security experts told The Register about the backdoor and a number of other issues in HP Device Manager, which is designed to manage HP Thin Client devices.

The researchers explain that the developers seem to have forgotten in the HP Device Manager code an unsecured account that could act as a backdoor. What is worse, this account can be used for privilege escalation, and in combination with another bug, to remotely execute commands with SYSTEM privileges.

This is a privileged account with a single space password. The only mention of it was found in the database log included with HP Device Manager, and the entries in the log date from a time before I even installed the program itself. As a result, anyone with access to a server with HP Device Manager installed can use this account to gain complete control over the server.says Nicky Bloor, a Cognitous Cyber Security expert.

Worse, by examining HP Device Manager with default settings, an expert found that the vulnerability could be exploited remotely, and anyone who could connect to a server running HP Device Manager could gain complete control over that server.

Back in early August, experts tried to notify HP developers about their findings, but at first did not receive a response, and then company representatives asked for the standard 90 days to fix the bug, although they did not confirm that they had studied the vulnerability reports at all, and did not offer any remedial measures for bugs. Finally, Bloor and his team decided not to wait.

I get paid to help people protect their IT environments and applications, and I don’t have time to waste time chasing HP and hoping that in more than 90 days they will still release a patch.says the expert.

Bloor explained that it is not difficult to protect against exploitation of the problem: it is enough to set a strong password for the dm_postgres user of the hpdmdb Postgres database on TCP port 40006 1/4.

HP representatives told The Register that the company acknowledges conclusions of the specialists, and the problems have already been assigned several identifiers: CVE-2020-6925, CVE-2020-6926 and CVE-2020-6927. At the same time, the CVE-2020-6926 vulnerability received 9.9 points out of 10 possible on the CVSS vulnerability rating scale.

The company has already published protective guidelines for its clients.

Administrators are strongly encouraged to upgrade to HP Device Manager 5.0.4 or HP Device Manager 4.7 Service Pack 13 to resolve issues. All versions of HP Device Manager are reported to contain weak encryption and remote dialing vulnerabilities, while versions 5.0.0 through 5.0.3 are also vulnerable to privilege escalation.

Let me remind you that we also talked about the fact that laptops from HP, Dell, Lenovo and other Thunderbolt PCs Can Be Hacked In Less Than 5 Minutes.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

View all posts

Leave a Reply

Sending