HP Device Manager, software that allows IT administrators to manage HP Thin Client devices, comes with a backdoor database user account that undermines network security, a UK-based consultant has warned.
Nicky Bloor, founder of Cognitous Cyber Security, reports that an HP Inc programmer appears to have set up an insecure user account in a database within HP Device Manager (HPDM). He found that the account can be exploited to achieve privilege escalation and, in conjunction with other flaws, gain unauthorized remote command execution as SYSTEM.
This is bad: if you can reach a vulnerable installation of this device manager on a network, you can gain admin-level control over its machine and the thin clients it controls. HPDM typically runs on a Windows-powered server, and directs multiple Windows clients.
Bloor told The Reg on Tuesday he had been looking into the security of HPDM and spotted a series of weaknesses he was able to exploit. The most concerning of these, he said, was a backdoor database user account, which he identified by examining a log file included with the software. It appears this log file details operations performed on the device manager's PostgreSQL database during the software's development, revealing the existence of the hidden user account.
Anyone with access to a server where HP Device Manager is installed could use this user account to gain complete control over the server
"This was a privileged user account with a password consisting of a single space character," Bloor said. "The only reference to the user account was in a database log file included with the HP Device Manager software where log entries can be seen ..
Support the originator by clicking the read the rest link below.
