Hewlett-Packard Intelligent Management Center CommonUtils Static DES/ECB Decryption Key VulnerabilityZDI-13-241: October 16th, 2013
This vulnerability allows remote attackers to obtain sensitive information on vulnerable installations of Hewlett-Packard Intelligent Management Center. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the CommonUtil class. This application uses a static key and the DES algorithm in ECB mode to store Administrator credentials. A remote attacker can use this vulnerability in conjunction with other vulnerabilities to disclose administrative credentials and possibly leverage this situation to achieve remote code execution.
Vendor ResponseHewlett-Packard has issued an update to correct this vulnerability. More details can be found at:
2012-11-19 - Vulnerability reported to vendor
2013-10-16 - Coordinated public release of advisory
CreditThis vulnerability was discovered by:
Andrea Micalizzi aka rgod