server management software

HPE discloses critical zero-time differences in server management software

HPE has revealed a zero-day in the latest version of its proprietary HPE Systems Insight Manager (SIM) software for Windows and Linux.

Although there is no security update for this Remote Code Execution (RCE) vulnerability, HPE has provided Windows mitigation information and is working to resolve the zero-day issue.

A zero-day is a publicly disclosed vulnerability that has not yet been patched by a vendor and, in some cases, is often actively exploited in the wild, or has an openly available concept validation vulnerability.

HPE SIM is a management and remote support automation solution for multiple HPE server, storage and networking products, including but not limited to HPE ProLiant Gen10 and HPE ProLiant Gen9 servers.

Severity RCE
The reported by Harrison Neal through Trend Micro’s Zero Day Initiative is tracked to CVE-2020-7200 and affects HPE Systems Insight Manager (SIM) 7.6.x.

HPE rates CVE-2020-7200 as a critical (9.8 / 10) security that allows un privileged attackers to use it as part of a low-complexity attack that does not require user interaction.

The vulnerability is caused by a lack of proper validation of user-provided data, which can lead to distrust of data, making it possible for an attacker to use it to execute code on a server running vulnerable software.

HPE did not disclose in its security bulletin whether it was also exploiting the zero-day vulnerability in the wild.

HPE SIM supports both Linux and Windows operating systems, while HPE only releases mitigation information to prevent attacks on Windows systems.

Earlier today, BleepingComputer contacted an HPE spokesman for more information about the affected platforms and information about ongoing utilization.

Available mitigations
Hewlett Packard Enterprise includes mitigation information in the CVE-2020-7200 security bulletin that requires disabling the “Joint Search” and “Joint CMS Configuration” features that allow the vulnerability.

“Future releases will provide a complete fix to prevent remote execution of code vulnerabilities,” the security advisory reads. “

System administrators using HP SIM management software must use the following procedures to prevent CVE-2020-7200 attacks:

Stop the HP SIM service
Remove C: Program Files, HP, Systems Insight Manager, jboss, server, hpsim, program Files, HP, Systems Insight Manager, jboss, server, hpsim, deploy, simsearch.war
Restart the HP SIM service
Wait for the HP SIM page https:// SIM_IP:50000″ to be accessible, and then execute the following command from the command prompt. mxtool -r -f tools multi-cms-search.xml 1> nul 2> nul。
According to HPE, HPE SIM users will no longer be able to use the joint search feature once mitigations are taken.