[DSECRG-09-011] HP StorageWorks 1/8 G2 Tape Autoloader - privilege escalation, DOS A vulnerability was found in Web Administration Interface of device HP StorageWorks 1/8 G2 Tape Autoloader. Default unprivileged user can escalate privileges to the administrator and execute DOS attack. Digital Security Research Group [DSecRG] Advisory #DSECRG-09-011 Application: HP StorageWorks 1/8 G2 Tape Autoloader Versions Affected: firmware v 2.30 and earlier Vendor URL: http://hp.com/ Bug: Privilege escalation Exploits: YES Reported: 30.09.2008 Vendor Response: 30.09.2008 Date of Public Advisory: 11.01.2010 Solution: yes CVE: CVE-2009-2680 CVSS 2.0: 8.5 Author: Alexandr Polyakov Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description *********** A vulnerability was found in Web Administration Interface of device HP StorageWorks 1/8 G2 Tape Autoloader. A default unprivileged user can escalate privileges to the administrator. Details ******* An attacker can connect with standard credentials (username: user and password: user). After that he can see the cookies like that: RMU_LEVEL 1 RMU_LOGIN 9999 RMU_SESSION 5 Then if he changes the RMU_LEVEL parameter to 2, he can be authorized as administrator. After that he can do anything possible using administrative rights. Solution ******** Install the following patches http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01868405 References ********** http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01868405 http://dsecrg.com/pages/vul/show.php?id=111 About ***** Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com