Password management has been a thorn in the sides of CISOs for some time, not only to keep track of passwords but also the never-ending fight to ensure all employees use secure ones.
But infosec leaders also have to take advantage of optional password features to ensure systems are locked down. Anything that touches the network and has an administrator console should have mandatory password control or it could be an access point for an attacker. But sometimes vendors don’t close this door completely. Case in point: Hewlett-Packard’s SiteScope application monitoring tool running on Windows.
Rapid7, which makes incident response solutions, has warned that an attacker who gains access to SiteScope’s administration console can execute arbitrary commands on a Windows operating system. While the console can be password protected, it isn’t mandatory. So, researchers discovered, if the console isn’t locked down an attacker could get to it and become an authenticated user.
“Once logged in, an attacker may navigate to the DNS Tool … and enter any domain name for resolution in the ‘Host name to resolve’ field, and append any other valid operating system command with the usual techniques,” Rapid7 says. “For example, attempting to resolve `google.com & net user HPpoc QWERty1234 /ADD & net localgroup administrators HPpoc /ADD` results in successfully creating a user and adding the user to the local administrators group.” An attacker may similarly append any operating system command in the ‘DNS Server’ field as well, the blog says.
Researchers say this can be mitigated in two ways: First, CISOs should ensure the administrator password option is taken (and, obviously, a hardened password is chosen) and access restricted to trusted users. That may not be a complete answer, researchers say, because on Windows SiteScope appears to require local SYSTEM access, so account permissions for the application or individual users “would not appear to be effective on this operating system.” The alternative is to switch SiteScope to a Linux server and run as a non-root user.
HP has been notified of the possible exploit. Rapid7 notes that in discussions with the company HP prefers the Linux option.