HP StorageWorks 1/8 G2 Tape Autoloader - privilege escalation, DOS

A vulnerability was found in Web Administration Interface of device HP StorageWorks 1/8 G2 Tape Autoloader.

Default unprivileged user can escalate privileges to the administrator and execute DOS attack.

Digital Security Research Group [DSecRG] Advisory #DSECRG-09-011

Application: HP StorageWorks 1/8 G2 Tape Autoloader

Versions Affected: firmware v 2.30 and earlier

Vendor URL: http://hp.com/

Bug: Privilege escalation

Exploits: YES

Reported: 30.09.2008

Vendor Response: 30.09.2008

Date of Public Advisory: 11.01.2010

Solution: yes

CVE: CVE-2009-2680

CVSS 2.0: 8.5

Author: Alexandr Polyakov

Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)

Description

***********

A default unprivileged user can escalate privileges to the administrator.

Details

*******

An attacker can connect with standard credentials

(username: user and password: user).

After that he can see the cookies like that:

RMU_LEVEL 1

RMU_LOGIN 9999

RMU_SESSION 5

Then if he changes the RMU_LEVEL parameter to 2, he can be authorized as administrator.

After that he can do anything possible using administrative rights.

Solution

********

Install the following patches

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01868405

References

**********

http://dsecrg.com/pages/vul/show.php?id=111

About

*****

Digital Security is one of the leading IT security companies in CEMEA,

providing information security consulting, audit and penetration

testing services, risk analysis and ISMS-related services and

certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital

Security Research Group focuses on web application and database

security problems with vulnerability reports, advisories and

whitepapers posted regularly on our website.

Contact: research [at] dsecrg [dot] com

http://www.dsecrg.com