An extremely critical zero-day vulnerability has been found in Hewlett Packard Enterprise’s Systems Insight Manager for Windows. This exploit allows attackers to remotely execute code without being authenticated to the software. SKOUT recommends that companies apply the latest HPE SIM patch, or perform the workaround released by HPE to prevent this attack.
Technical Detail & Additional Information
WHAT IS THE THREAT?
Attackers can remotely execute code by exploiting a newfound vulnerability in Hewlett Packard Enterprise’s Systems Insight Manager for Windows. The HPE SIM software runs with administrative privileges so malicious actors can gain full privileges under the hpsimsvc.exe process by sending a malformed POST request to the /simsearch/messagebroker/amfsecure page. Since the attack itself is low in complexity, this vulnerability (CVE-2020-7200) is rated 9.8 out of 10 for severity.
WHY IS IT NOTEWORTHY?
This is especially noteworthy because an attacker may have full privileges and access to a network by issuing a simple POST request. Even though this CVE only affects the HPE SIM on Windows, an attacker can wreak havoc on a network once this software is compromised.
WHAT IS THE EXPOSURE OR RISK?
Once exploited, an attacker can execute any arbitrary code within the network as the HPE SIM software. This means that they may be able to deploy ransomware, set up backdoors to the network, and maintain persistence to collect confidential information. It is important to consider all of the IT infrastructures as at risk if this vulnerability were to be exploited. In the hands of a ruthless attacker, organizational operations could be crippled.
WHAT ARE THE RECOMMENDATIONS?
The following is recommended:
- Apply the latest patch for the HPE SIM software as soon as possible.
- Check your network for any backdoors or suspicious accounts.
- If you are unable to patch the HPE SIM software right away, follow the workaround to disable this from occurring here: https://threatpost.com/hpe-fixes-critical-zero-day-sim/166543/
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.