Security

HP Device Manager flaws expose Windows systems to hack

HP published details of three vulnerabilities in the HP Device Manager that could be exploited by attackers to take over Windows systems.

HP released a security advisory that includes details for three critical and high severity vulnerabilities, tracked as CVE-2020-6925, CVE-2020-6926, and CVE-2020-6927, that impact the HP Device Manager.

The IT giant revealed that an attacker could exploit the vulnerabilities to take over Windows systems.

The HP Device Manager allows administrators to remotely manage HP thin clients.

The vulnerabilities have been reported to HP by the infosec researchers Nick Bloor, an attacker could chain the three issues to achieve SYSTEM privileges on targeted devices and potentially take over them.

“Potential vulnerabilities have been identified with certain versions of HP Device Manager.” reads the HP’s advisory. “These vulnerabilities may allow locally managed accounts within Device Manager to be susceptible to dictionary attacks due to weak cipher implementation (CVE-2020-6925) and allow a malicious actor to remotely gain unauthorized access to resources (CVE-2020-6926), and/or allow a malicious actor to gain SYSTEM privileges (CVE-2020-6927).”

CVE IDPotential VulnerabilityImpacted VersionCVSS 3.0 Base Score
CVE-2020-6925Weak CipherAll versions of HP Device Manager7.0
CVE-2020-6926Remote Method InvocationAll versions of Device Manager9.9
CVE-2020-6927Elevation of PrivilegeHP Device Manager 5.0.0 to 5.0.38.0

The flaws could allow attackers to carry out multiple malicious actions, such as perform dictionary attacks, gain unauthorized remote access to resources, and elevate privilege.

The first vulnerability, tracked as CVE-2020-6925, is related to the use of weak cipher implementation and exposes locally Device Manager managed accounts to dictionary attacks. The issue does not impact customers who use Active Directory authenticated accounts.

The second flaw, tracked as CVE-2020-6926, is a remote method invocation flaw that could be exploited by remote attackers to gain unauthorized access to resources.

The last issue, tracked as CVE-2020-6927, could allow remote attackers to gain SYSTEM privileges by exploiting a backdoor database user account, using a space as a password, in the PostgreSQL database.

This vulnerability doesn’t impact HP customers using an external database (Microsoft SQL Server) and that have not installed the integrated Postgres service.

Unfortunately, HP hasn’t yet released security updates to address the CVE-2020-6925 and CVE-2020-6926 security issues, while the CVE-2020-6927 has been fixed with the release of Device Manager 5.0.4.

However, the company provides customers with remediation steps that should at least partially mitigate the security risks. 

HP also released the following list of mitigations for the above issues:

  • Limit incoming access to Device Manager ports 1099 and 40002 to trusted IPs or localhost only
  • Remove the dm_postgres account from the Postgres database; or
  • Update the dm_postgres account password within Device Manager Configuration Manager; or
  • Within Windows Firewall configuration create an inbound rule to configure the PostgreSQL listening port (40006) for localhost access only.
[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, HP)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

SK Telecom revealed that malware breach began in 2022

South Korean mobile network operator SK Telecom revealed that the security breach disclosed in April…

1 hour ago

4G Calling (VoLTE) flaw allowed to locate any O2 customer with a phone call

A flaw in O2 4G Calling (VoLTE) leaked user location data via network responses due…

12 hours ago

China-linked UnsolicitedBooker APT used new backdoor MarsSnake in recent attacks

China-linked UnsolicitedBooker used a new backdoor, MarsSnake, to target an international organization in Saudi Arabia.…

18 hours ago

UK’s Legal Aid Agency discloses a data breach following April cyber attack

The UK’s Legal Aid Agency suffered a cyberattack in April and has now confirmed that…

21 hours ago

Sarcoma Ransomware Unveiled: Anatomy of a Double Extortion Gang

Cybersecurity Observatory of the Unipegaso's malware lab published a detailed analysis of the Sarcoma ransomware.…

23 hours ago

Mozilla fixed zero-days recently demonstrated at Pwn2Own Berlin 2025

Mozilla addressed two critical Firefox vulnerabilities that could be potentially exploited to access sensitive data…

1 day ago