HPE fixes critical zero-day vulnerability disclosed in December

Hewlett Packard Enterprise (HPE) has released a security update to address a zero-day remote code execution vulnerability in the HPE Systems Insight Manager (SIM) software, disclosed last year, in December.

HPE SIM is a remote support automation and management solution for HPE servers, storage, and networking products, including HPE's ProLiant Gen10 and ProLiant Gen9 servers.

Zero-days are publicly disclosed security bugs that the vendor hasn't patched. In some cases, they also have publicly available proof-of-concept exploits or are actively exploited in the wild.

Security update released months after disclosure

While the company updated the security advisory with information on this security update on Wednesday, the SIM hotfix update kit which resolves the vulnerability was released more than a month ago, on April 20.

The RCE vulnerability tracked as CVE-2020-7200 was found in the latest versions (7.6.x) of HPE's proprietary Systems Insight Manager (SIM) software, and it ONLY affects the Windows version.

HPE rated the bug as a critical severity (9.8/10) security flaw as it allows attackers with no privileges to exploit it in low complexity attacks that don't require user interaction.

CVE-2020-7200 stems from a lack of proper validation of user-supplied data that can lead to the deserialization of untrusted data, making it possible for attackers to leverage it to execute code on servers running vulnerable SIM software.

Mitigation also available

HPE also provides mitigation info for those who cannot immediately deploy the CVE-2020-7200 security update on vulnerable systems.

According to HPE, admins are required to disable the "Federated Search" and "Federated CMS Configuration" features to remove the attack vector.

System admins who use the HPE SIM management software have to use the following procedure to block CVE-2020-7200 attacks:

1. Stop the HPE SIM Service
2. Delete C:\Program Files\HP\Systems Insight Manager\jboss\server\hpsim\deploy\simsearch.war file from sim installed path del /Q /F C:\Program Files\HP\Systems Insight Manager\jboss\server\hpsim\deploy\simsearch.war
3. Restart the HPE SIM Service
4. Wait for the HPE SIM web page "https://SIM_IP:50000" to be accessible and execute the following command from a command prompt: mxtool -r -f tools\multi-cms-search.xml 1>nul 2>nul

Once the mitigation measures are taken, HPE SIM users will no longer be able to use the federated search feature.