[NEWS] HP SIM 5.0 Session Fixation Vulnerability



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



HP SIM 5.0 Session Fixation Vulnerability
------------------------------------------------------------------------


SUMMARY

There is a session fixation vulnerability in HP Systems Insight Manager
4.2 and 5.0 SP4/5 (IM) that allows an attacker to gain administrative
access to IM console. As a result, the attacker can take complete
administrative control over all managed systems, upload and execute
malicious code on them, extract any information from them and disable them
at her will.

DETAILS

Vulnerable Systems:
* HP Systems Insight Manager version 4.2
* HP Systems Insight Manager version 5.0 SP4
* HP Systems Insight Manager version 5.0 SP5

Immune Systems:
* HP Systems Insight Manager version 5.1

The Systems Insight Manager web application is using a JSESSIONID session
cookie for maintaining a session with administrator's browser. Apparently,
the console is vulnerable to session fixation and allows an attacker to
obtain the session cookie, fix it on administrator's browser and thus
force him to use that cookie when subsequently logging into the
administration console. Once the administrator is logged in, the attacker
can use the same cookie to enter the already logged-in session and assume
the identity of the administrator.

After gaining administrative rights, an attacker can do anything the
administrator could do, including executing arbitrary commands on all
managed computers. In SIM Service Pack 4, a new cookie JSESSIONIDSSO was
introduced to fix this issue; however, it was possible to bypass checks
for the JSESSIONIDSSO cookie and thus still attack the SIM administrator
with a fixed JSESSIONID cookie.

Solution:
HP has released a newer version of SIM (SIM 5.1) which fixes this issue.


ADDITIONAL INFORMATION

The information has been provided by <mailto:lists@xxxxxxxx> ACROS
Security.
The original article can be found at:
<http://www.acrossecurity.com/aspr/ASPR-2007-05-14-1-PUB.txt>
http://www.acrossecurity.com/aspr/ASPR-2007-05-14-1-PUB.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] Wordpress Cookie Integrity Protection Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Wordpress Cookie Integrity Protection Vulnerability ... USERNAME: The username for the authenticated user ...
    (Securiteam)
  • [NT] Citrix NetScaler Web Management Cookie Weakness
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Citrix NetScaler Web Management Cookie Weakness ... the attacker might be able to impersonate the user for the duration ... plaintext information stored by it by using a chosen plaintext attack. ...
    (Securiteam)
  • [NEWS] DLink-614+ Script Injection Through DHCP HOSTNAME Option
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... It is possible to inject malicious script through the DHCP HOSTNAME option ... one can inject a script designed to force the administrator ...
    (Securiteam)
  • [NEWS] Fortigate Firewall Web Interface Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... obtain an administrative username and password of the Fortigate firewall. ... remote attacker can trick an administrator into revealing his credentials. ... Web Filter Log Passes Unfiltered Session Details ...
    (Securiteam)
  • [NEWS] Multiple Vendor HTTP User Agent Cookie Path Traversal Issue
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The cookie specifications detail a path argument that can be used to ... and standard encoding techniques the path restriction functionality can be ...
    (Securiteam)