HPE discloses critical zero-day in Systems Insight Manager

HPE has disclosed a zero-day vulnerability in the latest versions of its HPE Systems Insight Manager (SIM) software for both Windows and Linux.

Hewlett Packard Enterprise (HPE) has disclosed a zero-day remote code execution flaw that affects the latest versions of its HPE Systems Insight Manager (SIM) software for Windows and Linux.

HPE SIM is a management and remote support automation solution for multiple HPE solutions, including servers, storage, and networking products.

The flaw stems from the lack of proper validation of user-supplied data that can result in the deserialization of untrusted data. The vulnerability could be exploited by attackers with no privileges without user interaction.

“A potential security vulnerability has been identified in HPE Systems Insight Manager (SIM) version 7.6. The vulnerability could be exploited to allow remote code execution.” reads the security advisory.

At the time of this writing, the issue is yes to be fixed, the IT giant only provided mitigations for Windows while it is working to address the issue.

The zero-day flaw, tracked as CVE-2020-7200, was discovered by the researcher Harrison Neal that reported it through the Trend Micro’s Zero Day Initiative.

The vulnerability affects HPE Systems Insight Manager (SIM) 7.6.x., it received a severity score of 9.8/10.

HPE did not reveal if it is aware of attacks in the wild exploiting the zero-day vulnerability.

To avoid exploitation of the issue, the company recommends removing the “Federated Search” & “Federated CMS Configuration” feature with this step-by-step procedure:

1. Stop HPE SIM Service
2. Delete <C:Program FilesHPSystems Insight Managerjbossserverhpsimdeploysimsearch.war> file from sim installed path del /Q /F C:Program FilesHPSystems Insight Managerjbossserverhpsimdeploysimsearch.war
3. Restart HPE SIM Service
4. Wait for HPE SIM web page “https://SIM_IP:50000” to be accessible and execute the following command from command prompt. mxtool -r -f toolsmulti-cms-search.xml 1>nul 2>nul

Pierluigi Paganini

(SecurityAffairs – hacking, HPE Systems Insight Manager)

The post HPE discloses critical zero-day in Systems Insight Manager appeared first on Security Affairs.