|CVSS SCORE||10.0, (AV:N/AC:L/Au:N/C:C/I:C/A:C)|
The specific flaw exists within the Hewlett-Packard Client Automation agent. An attacker can send arbitrary commands to the agent. An attacker can leverage this vulnerability to execute code under the context of the SYSTEM.
06/15/2015 - ZDI asked HP SSRT for a contact.
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles.
-- Vendor Mitigation:
Guidelines to secure the remote notify feature:
|CREDIT||Matt Molinyawe - HP Zero Day Initiative