The computer and its accessories manufacturer, HP has released a security advisory to users, warning about critical bugs in its HP Device Manager feature. The bugs, if exploited, could eventually let hackers in via backdoor, posses elevated system privileges and dictionary attacks. HP has released an updated version to patch one of the three bugs and suggested remedies for the other two.
HP Device Manager Backdoor Flaws
The HP Device Manager is a management software used by system admins in a network to access and operate the thin clients in a network for several tasks. The maker of it has released a security advisory earlier this week, that warns users about three bugs that can be chained together to exploit and completely take over the target system.
The bugs were initially discovered by Nick Bloor, a security researcher who revealed them in a series of tweets. The three bugs tracked as CVE-2020-6925, CVE-2020-6926, and CVE-2020-6927 are given the severity scores of 7/10, 9.9/10, and 8/10 respectively.
Starting with the CVE-2020-6925, HP says it affects all the versions of Device Manager because of a “weak cipher”.
Thus, it exposes the local HP Device Manager managed accounts to dictionary attacks but does not affect the users who’re using the Active Directory authenticated accounts. The next, CVE-2020-6926 also affects all the versions of HP Device Manager, which can be exploited to gain unauthorized access to system resources.
The last of three, CVE-2020-6927 is a flaw in the PostgreSQL database, which has its password set as a simple “space”! This weakness can be exploited by hackers to gain elevated system privileges via the database backdoor. While HP has released a new version of Device Manager (v5.0.4) to patch this third bug, others are still exposed.
Yet, the company has given remediation measures to mitigate the risk partially. These include;
- Limit incoming access to Device Manager ports 1099 and 40002 to trusted IPs or localhost only
- Remove the dm_postgres account from the Postgres database; or
- Update the dm_postgres account password within HP Device Manager Configuration Manager; or
- Within Windows Firewall configuration create an inbound rule to configure the PostgreSQL listening port (40006) for localhost access only.