14 DAY TRIAL // TippingPoint’s Zero Day Initiative (ZDI) has published a number of five advisories to reveal the existence of serious security holes that affect HP products. The vulnerabilities haven’t been addressed, but since the 180-day deadline appointed by ZDI expired, the flaws have been made public.
In August 2010, ZDI enforced its vulnerability disclosure deadline, giving vendors six months to patch up the bugs in their products before their details would be made available to users. It seems that experts from ZDI are not willing to make any exceptions, not even for the company that owns them.
The vulnerabilities in question refer to HP LeftHand Virtual SAN Appliance, HP Operations Agent for NonStop Server, HP Intelligent Management Center, HP iNode Management Center and HP Diagnostics Server.
All the security holes could be leveraged by a remote attacker to execute his own malicious code under the context of the user. Even worse, attacks can succeed without authentication in most cases, except for the flaw that exists in Operation Agent for NonStop Server.
Reported back in October, November and December 2011, the bugs exist in various processes. For instance, HP Operations Agent for NonStop Server is affected by an issue in the ELinkService process.
Other flawed components appear to be img.exe in Intelligent Management Center, iNOdeMngChecker.exe in HP iNode Management Center, magentservice.exe in HP Diagnostics Server, and the hydra component from LeftHand Virtual SAN Appliance.
The names of the researchers who have identified the security holes have not been made public yet.
Hopefully, now that the existence of these problems is out there, HP will act on addressing them, or at least come up with a statement as to why they haven’t been fixed until now.