Advisory Details

October 16th, 2013

Hewlett-Packard Intelligent Management Center CommonUtils Static DES/ECB Decryption Key Vulnerability

ZDI-13-241
ZDI-CAN-1645

CVE ID CVE-2013-4825
CVSS SCORE 4.9, (AV:L/AC:L/Au:N/C:C/I:N/A:N)
AFFECTED VENDORS Hewlett-Packard
AFFECTED PRODUCTS Intelligent Management Center
VULNERABILITY DETAILS


This vulnerability allows remote attackers to obtain sensitive information on vulnerable installations of Hewlett-Packard Intelligent Management Center. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the CommonUtil class. This application uses a static key and the DES algorithm in ECB mode to store Administrator credentials. A remote attacker can use this vulnerability in conjunction with other vulnerabilities to disclose administrative credentials and possibly leverage this situation to achieve remote code execution.

ADDITIONAL DETAILS Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03943547
DISCLOSURE TIMELINE
  • 2012-11-19 - Vulnerability reported to vendor
  • 2013-10-16 - Coordinated public release of advisory
CREDIT Andrea Micalizzi aka rgod
BACK TO ADVISORIES