Public Vulnerability Reports

HP StorageWorks P4000 Virtual SAN Remote Command Execution Vulnerability

11.11.11

BACKGROUND

HP StorageWorks P4000 Virtual SAN Appliance (VSA) provides virtualized SAN infrastructure for a Vmware ESX environment. VSA consolidates server disk drives and external storage into a virtual iSCSI SAN. The appliance includes a management service which listens on numerous TCP and UDP ports.

DESCRIPTION

Remote exploitation of an arbitrary command execution vulnerability in HP.'s StorageWorks P4000 Virtual SAN Appliance (VSA) could allow an attacker to execute arbitrary code with the privileges of the affected service.

The management service implements a protocol command to allow a remote client to ping a remote device from the VSA. Input passed as part of this ping request is not correctly sanitized. This condition may result in an arbitrary command execution. This vulnerability does not require authentication as default account credentials are hard-coded into the management service.

ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the affected service. In order to exploit this vulnerability, an attacker needs to be able to create a TCP connection to the targeted VSA on port 13838.

DETECTION

HP P4000 Virtual SAN/iQ versions prior to 9.5 are vulnerable.

WORKAROUND

TCP port 13838 may be firewalled on the Virtual SAN Appliance.

VENDOR RESPONSE

HP has released patches and workarounds to address this vulnerability. For more information, consult their advisory at the following URL.

http://www.hp.com/go/p4000downloads

CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2011-4157 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

DISCLOSURE TIMELINE

10/20/2010 Initial Vendor Notification
11/09/2010 Initial Vendor Reply
11/11/2011 Coordinated Public Disclosure

CREDIT

This vulnerability was reported to iDefense by Nicolas Gr?ire / Agarri.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

LEGAL NOTICES

Copyright © 2011 Verisign, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.