ZDI-11-094: (0 day) Hewlett-Packard StorageWorks File Migration Agent Remote Archive Tampering Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-094

February 28, 2011

-- CVSS:
7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P)

-- Affected Vendors:
Hewlett-Packard

-- Affected Products:
Hewlett-Packard StorageWorks

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10854. 
For further product information on the TippingPoint IPS, visit:

    http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to compromise the archive
records on vulnerable installations of HP StorageWorks File Migration
Agent. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the HsmCfgSvc.exe service responsible
for managing archive stores. The archive manager is susceptible to
tampering due to a failure to enforce authentication from remote users.
An attacker could exploit this flaw to compromise the server managing
the archives and arbitrarily modify the archive data store under the
context of the File Migration Agent software.

-- Vendor Response:
February 23, 2011 - This vulnerability is being disclosed publicly without a 
patch in accordance with the ZDI 180 day deadline.

--Mitigations:
The overall design of the File Migration Agent (FMA) assumes it runs as
an application on a Windows server. Given the stated purpose of FMA, and
the nature of the vulnerability, the only salient mitigation strategy is
to restrict interaction with the service to trusted machines. Only the
clients and servers that have a legitimate procedural relationship with
the HP StorageWorks File Migration Agent should be permitted to
communicate with it. This could be accomplished in a number of ways,
most notably with firewall rules/whitelisting. These features are
available in the native Windows Firewall, as described in
http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx
and
numerous other Microsoft Knowledge Base articles.

-- Disclosure Timeline:
2010-08-25 - Vulnerability reported to vendor
2011-02-28 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
    * AbdulAziz Hariri

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

    http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

    http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

    http://twitter.com/thezdi