Critical 0-day vulnerability in HPE Systems Insight Manager (SIM) 7.6.x

[German]Hewlett Packard Enterprise (HPE) has issued a security advisory. There is a critical vulnerability (0-day bug) in HPE Systems Insight Manager (SIM) that affects Linux and Windows versions.


Advertising

I recently came across this tweet from my colleagues at Bleeping Computer, who point out the 0-day vulnerability in HPE’s server management software. 

0-Day vulnerability in HPE Server Management-Software

HPE SIM is an automation solution for management and remote support for multiple HPE servers, storage, and networking products, including but not limited to HPE ProLiant Gen10 and HPE ProLiant Gen9 servers. A zero-day bug exists in the latest versions of HPE Systems Insight Manager (SIM) for Windows and Linux. The vulnerability, registered as CVE-2020-7200, affects HPE Systems Insight Manager (SIM) 7.6.x.

The RCE vulnerability was reported by Harrison Neal via Trend Micro’s Zero Day Initiative and is rated critical by HPE. CVE-2020-7200 allows attackers without privileges to perform low-complexity attacks that do not require user interaction. The vulnerability results from the lack of proper validation of user-supplied data. This can lead to the deserialization of untrusted data. This allows an attacker to exploit the vulnerability to execute code on servers running the vulnerable software version.ermöglicht dies, die Schwachstelle auszunutzen, um Code auf Servern auszuführen, auf denen die anfällige Software-Version läuft.

0-Day means there are no security updates yet for this remote code execution (RCE). HPE did not disclose in the security advisory whether the zero-day bug is also being exploited in the wild. HPE has provided mitigation information for Windows in this security advisory and is working to fix the zero-day.


Advertising


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *