=====[BEGIN-ACROS-REPORT]===== PUBLIC ========================================================================= ACROS Security Problem Report #2007-05-14-1 ------------------------------------------------------------------------- ASPR #2007-05-14-1: Session Fixation Vulnerability in HP SIM 5.0 ========================================================================= Document ID: ASPR #2007-05-14-1-PUB Vendor: HP (http://www.hp.com) Target: HP Systems Insight Manager Impact: A session fixation vulnerability in HP SIM 5.0 SP4/5 can be exploited to run arbitrary comands on the servers system Severity: High Status: Fixed in SIM 5.1 Discovered by: Luka Treiber and Aljosa Ocepek of ACROS Security Current version http://www.acrossecurity.com/aspr/ASPR-2007-05-14-1-PUB.txt Summary ======= There is a session fixation vulnerability [1] in HP Systems Insight Manager 4.2 and 5.0 SP4/5 (IM) that allows an attacker to gain administrative access to IM console. As a result, the attacker can take complete administrative control over all managed systems, upload and execute malicious code on them, extract any information from them and disable them at her will. Product Coverage ================ - HP Systems Insight Manager 4.2 - affected - HP Systems Insight Manager 5.0 SP4 - affected - HP Systems Insight Manager 5.0 SP5 - affected - HP Systems Insight Manager 5.1 - not affected Analysis ======== The Systems Insight Manager web application is using a JSESSIONID session cookie for maintaining a session with administrator's browser. Apparently, the console is vulnerable to session fixation [1] and allows an attacker to obtain the session cookie, fix it on administrator's browser and thus force him to use that cookie when subsequently logging into the administration console. Once the administrator is logged in, the attacker can use the same cookie to enter the already logged-in session and assume the identity of the administrator. After gaining administrative rights, an attacker can do anything the administrator could do, including executing arbitrary commands on all managed computers. In SIM Service Pack 4, a new cookie JSESSIONIDSSO was introduced to fix this issue; however, it was possible to bypass checks for the JSESSIONIDSSO cookie and thus still attack the SIM administrator with a fixed JSESSIONID cookie. Solution ======== HP has released a newer version of SIM (SIM 5.1) which fixes this issue. References ========== [1] ACROS Security, "Session Fixation Vulnerability in Web-based Applications" http://www.acrossecurity.com/papers/session_fixation.pdf [2] Hewlett-Packard Security Bulletin http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp? objectID=c01049713 Acknowledgments =============== We would like to acknowledge HP Software Security Response Team (SSRT) for diligent and professional handling of the identified vulnerability. Contact ======= ACROS d.o.o. Makedonska ulica 113 SI - 2000 Maribor e-mail: security@acrossecurity.com web: http://www.acrossecurity.com phone: +386 2 3000 280 fax: +386 2 3000 282 ACROS Security PGP Key http://www.acrossecurity.com/pgpkey.asc [Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD] ACROS Security Advisories http://www.acrossecurity.com/advisories.htm ACROS Security Papers http://www.acrossecurity.com/papers.htm ASPR Notification and Publishing Policy http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm Disclaimer ========== The content of this report is purely informational and meant only for the purpose of education and protection. ACROS d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. All identifiers (hostnames, IP addresses, company names, individual names etc.) used in examples and demonstrations are used only for explanatory purposes and have no connection with any real host, company or individual. In no event should it be assumed that use of these names means specific hosts, companies or individuals are vulnerable to any attacks nor does it mean that they consent to being used in any vulnerability tests. The use of information in this report is entirely at user's risk. Revision History ================ May 14, 2007: Initial release Copyright ========= (c) 2007 ACROS d.o.o. Forwarding and publishing of this document is permitted providing the content between "[BEGIN-ACROS-REPORT]" and "[END-ACROS-REPORT]" marks remains unchanged. =====[END-ACROS-REPORT]=====