BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

HP Multiple Products OpenSSL Heartbleed Information Disclosure

Disclosed April 13, 2014    Zeroday : 140 days

Vulnerability Description:

Various HP products use OpenSSL, which was recently affected by the "Heartbleed" vulnerability. This vulnerability allows remote attackers to use a flaw in OpenSSL to disclose critical parts of memory, possibly allowing an attacker to recover usernames, passwords, secret keys, and other sensitive information.

Vendors:

HP

Vulnerable Software/Devices:

HP Onboard Administrator 4.20 and Prior
HP LoadRunner 12.0 and Prior
HP OpenView 9.53 and Prior
HP OpenView 9.53 and Prior
HP Smart Update Manager 6.3.0 and Prior
HP System Management Homepage 7.3.1 and Prior

Other HP software products are affected as well. Please consult HPs Security Advisories.

Vulnerability Severity:

High

Exploit Availability:

Publicly Available

Exploit Impact:

Information Disclosure
By sending one or more maliciously crafted packets to a vulnerable OpenSSL installation, an attacker may be able to leak memory from the target machine. This may allow a remote attacker to be able to recover sensitive information, such as usernames and passwords. An attacker may send multiple crafted packets in order to leak more memory, thereby increasing the amount of information that may be recovered.

BeyondTrust Prevention and Detection:

BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.

  • 33699 - HP Onboard Administrator 4.20 and Prior Information Disclosure (Zero-Day)
  • 33700 - HP LoadRunner 12.0 and Prior Information Disclosure (Zero-Day)
  • 33701 - HP OpenView 9.53 and Prior Information Disclosure (Zero-Day) - Windows
  • 33702 - HP OpenView 9.53 and Prior Information Disclosure (Zero-Day) - UNIX/Linux
  • 33703 - HP Smart Update Manager 6.3.0 and Prior Information Disclosure (Zero-Day)
  • 33704 - HP System Management Homepage 7.3.1 and Prior Information Disclosure (Zero-Day)

Mitigation:

No mitigations are currently available at this time. OpenSSL 1.0.1g contains a fix, however, it is up to software vendors to apply the updated version to their proprietary software.

Links:

CVE(s):