Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against HP Power Manager formExportDataLogs Buffer Overflow Vulnerability

Subscribe

Check Point Reference: CPAI-2010-111
Date Published:
Severity:
Last Updated:
Source: Secunia Advisory SA37280
Industry Reference(s):

CVE-2009-3999
Protection Provided by: Security Gateway
  • R70
VPN-1
  • NGX R65
VSX
  • NGX R65
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
HP Power Manager Prior to 4.2.10
Vulnerability Description
A buffer overflow vulnerability was reported in HP Power Manager. HP Power Manager is a web-based application for managing a HP Uninterruptible Power System (UPS) through a browser-based management console. It allows to monitor, manage, and control a single UPS locally and remotely. The vulnerability is due to insufficient bounds checking in the HP Power Manager while processing URL parameters in the formExportDataLogs form of the web based management server. To leverage the vulnerability, a remote unauthenticated attacker would need to send a malicious HTTP request to the target system, potentially leading to injection and execution of arbitrary code.
Update/Patch Available
The vendor, HP, has released an advisory addressing this vulnerability.
Vulnerability Details
The vulnerability is due to lack of input validation of the variable on HTTP requests sent to formExportDataLogs. The vulnerable URI requires no authentication to process the malicious request. Successful exploitation could lead to execution of arbitrary code.

Protection Overview
This protection will detect and block HTTP requests to HP Power Manager forms whose fileName argument is larger than a certain threshold.

Please note that the protection offered in this advisory may cause false positives by blocking legitimate traffic. We are working on solving this issue.
This issue has been fixed on the update package from May 4, 2010.

In order for the protection to be activated, update your Security Gateway/VPN-1 product to the latest IPS/SmartDefense update. For information on how to update IPS/SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > HP Products.
2. In the right pane, double-click the HP Power Manager formExportDataLogs Buffer Overflow protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HP Products Protection Violation
Attack Information: HP Power Manager formExportDataLogs buffer overflow

VPN-1 NGX R65 & VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > HP Products > HP Power Manager formExportDataLogs Buffer Overflow.
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HP Products Protection Violation
Attack Information: HP Power Manager formExportDataLogs buffer overflow

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Web Intelligence > WWW 2, and select the CGI Attacks protection group.
3. Click HP Power Manager formExportDataLogs filename buffer overflow (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: WWW/CGI Attacks Protection Group
Description: HP Power Manager formExportDataLogs filename buffer overflow