HP Device Manager: Database backdoor puts Windows at risk

[German]The HP Device Manager used to manage HP thin clients seems to have a backdoor in some versions in the form of a preconfigured user account in a database. This puts the underlying Windows at risk, because ist could be used by attackers to take control of the system.


Advertising

HP Device Manager (HPDM) is a server-based application that provides powerful centralized management capabilities for thin client devices running HP software. HPDM provides centralized management of all HP thin client operating systems, task-based thin client management, etc. The HPDM is designed as a system based on the division of labor between consoles, a server and gateway components.

Backdoor through built-in user account

I became aware of this case via a tweet from The Register. Due to a backdoor, the HP Device Manager (HPDM) allows any user to take over the server network-wide.

HP Device Manager Vulnerability

This was discovered by Nic Bloor, founder of Cognitous Cyber Security, who posted a series of tweets on Twitter at the end of September 2020 with advice, how to mitigate this vulnerability.

PSA: Do you or your clients use HP thin clients and manage them with HP Device Manager? I strongly advise you, firstly, to log on to all servers running HP Device Manager and set a strong password for the "dm_postgres" user of the "hpdmdb" Postgres database on TCP port 40006 1/4

This can be done by running "psql.exe -h 127.0.0.1 -p 40006 -d hpdmdb -U dm_postgres", then when prompted for a password type a single space character to log in, then enter "\password" and type a new password at the prompt. This user is NOT used by the application. 2/4

Secondly, I strongly advise firewalling off TCP ports 1099, 40002, and 40006. The dm_postgres database user account can be used to execute commands, read files, and write files as SYSTEM locally, but TCP 1099 and 40002 provide a means to achieve this remotely, pre-auth. 3/4

TCP ports 1099 and 40002 also leak HPDM usernames and MD5 password hashes to remote unauthenticated users. There are likely more issues with this service, but that's for someone else to work out, I'm done with this one. 4/4

The Register has compiled it a bit in this article.  It seems that an HP developer has created an insecure user account in a database used by the HP Device Manager (HPDM). Nicky Bloor discovered that this account could be exploited to achieve privilege escalation and, in conjunction with other bugs, to execute unauthorized remote code execution as SYSTEM. This allows a system to be taken over completely, because HPDM usually runs on a Windows-based server and manages multiple Windows clients. Anyone who can achieve a vulnerable installation of this HPDM in a network gets administrator-level control of the machine and the thin clients it controls.


Advertising

Bloor, who is in contact with The Register, said that he has looked into the security of the HPDM and has discovered a number of exploitable vulnerabilities. The most serious vulnerability is a hidden PostgreSQL database user account that he identified by examining a log file included with the software. The log files provided hints to the existence of the hidden user account, which can be used as a backdoor if the credentials are known.

"This was a privileged user account with a password consisting of a single space," Bloor said. "The only reference to the user account was in a database log file that came with the HP Device Manager software, where log entries from the time before the software was installed can be viewed".

Bloor said this vulnerability is present in the current versions of HPDM software. However, he is not sure which earlier versions of the software could be affected. He states that he contacted HP on August 3, 2020 to provide details about the vulnerabilities. HP did not respond. Only when he wrote that he intended to release the details in 30 days if the company continued to block, did HP respond on August 19, 2020, that the industry standard for coordinated vulnerability disclosure was 90 days.

That's how much time HO requested to create a patch without answering any of Bloor's questions. At that time, Bloor said, HP had not yet confirmed that it had reviewed and understood the vulnerability reports. Nor had there been any proposal for mitigation or a timetable for fixing the vulnerabilities.

Bloor was not inclined to simply wait for HP. "I get paid to help people secure their IT environments and applications, but I don't have the time to chase after HP and hope that one day in '90+ days' they will come up with a patch that will help me secure my customers' environments," he is quoted by The Register. "The fix for the most serious part of the problem is trivial, so 90+ days is a joke. To emphasize how easy it is to fix the problem, he described this process to the series of tweets quoted above. A security advisory page HP would probably have been created in a few hours, but this did not happen. More details can be found in The Register article. Any of you who use the HP Device Manager?


Advertising

This entry was posted in Security, Software, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).