Η HP talked about three critical vulnerabilities in HP Device Manager that could be used for hacking Windows systems. The three vulnerabilities have been named CVE-2020-6925, CVE-2020-6926 and CVE-2020-6927.
HP Device Manager allows administrators to handle remote HP thin clients.
HP has been informed of the three vulnerabilities by researchers security. According to experts, an attacker could exploit errors to gain SYSTEM permissions on targeted Appliances and take control of them.
"Vulnerabilities have been identified in some versions of HP Device ManagerSays HP. "These vulnerabilities may allow "locally managed accounts" in Device Manager to be vulnerable to dictionary attacks due to weak encryption algorithms (CVE-2020-6925). A malicious hacker could acquire remote access in resources (CVE-2020-6926) and / or to acquire SYSTEM rights (CVE-2020-6927)".
Vulnerabilities have been identified as critical because they allow criminals to carry out many malicious activities in Windows systems, such as dictionary attacks, gaining more privileges, etc.
The first vulnerability (CVE-2020-6925) is related to use weak encryption and exposes locally managed accounts to dictionary attacks. The issue affects all versions of HP Device Manager but not the clients they use Active Directory authenticated accounts.
Finally, the third vulnerability (CVE-2020-6927) could allow remote intruders to acquire SYSTEM privileges in the PostgreSQL database. This vulnerability does not affect HP customers using an external database (Microsoft products SQL Server) and who have not installed the built-in Postgres service. The affected versions are 5.0.0 to 5.0.3.
According to SecurityAffairs, HP has not released security updates to address vulnerabilities in CVE-2020-6925 and CVE-2020-6926. However, error CVE-2020-6927 has been fixed with the release of Device Manager 5.0.4.
For this reason, the company gave some tips that HP Device Manager users can follow to mitigate the risks:
- Restrict access to ports 1099 and 40002. Access must be restricted to trusted IPs or local services
- Remove dm_postgres account from Postgres database or update dm_postgres account password in Device Manager Configuration Manager.