Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label HPE. Show all posts
Information Security
Cybersecurity Data Breach Data Hacking HPE Information Security

HPE Cybersecurity Challenge: Data Breach Sparks Investigation

 

Hewlett Packard Enterprise (HPE), a leading technology company, is currently grappling with a potential security breach as reports emerge of sensitive data being offered for sale on a prominent hacking forum. This latest incident underscores the persistent challenges faced by major corporations in safeguarding their digital assets and protecting user information. 

The breach, which is currently under investigation by HPE's cybersecurity teams, comes amid a wave of increased cyber threats targeting organizations across various industries. The data purportedly for sale on the hacking forum includes information that, if exploited, could pose serious risks to the company and its clients. 

HPE, known for its extensive range of enterprise solutions and IT services, is taking the reported breach seriously. The company has initiated a comprehensive internal investigation to assess the scope of the incident, identify potential vulnerabilities, and implement necessary measures to mitigate the impact. 

The data on the hacking forum is said to contain a variety of sensitive information, including user credentials, proprietary software details, and potentially confidential client data. The potential exposure of such data raises concerns not only about the privacy of individuals associated with HPE but also about the potential misuse of corporate information. 

This incident highlights the evolving tactics employed by cybercriminals, who are becoming increasingly sophisticated in their approach. As organizations fortify their cybersecurity defences, threat actors adapt, finding new avenues to exploit vulnerabilities and gain unauthorized access to sensitive data. 

The timing of this breach is particularly noteworthy, given the global increase in remote work and reliance on digital infrastructure. With a growing attack surface, companies must remain vigilant in implementing robust cybersecurity measures to counteract the heightened risk of cyber threats. 

HPE is urging its clients and stakeholders to exercise caution and implement additional security measures. This includes advising users to update passwords, enable multi-factor authentication, and monitor their accounts for any suspicious activity. The company is also liaising with law enforcement agencies to track down the perpetrators and hold them accountable. The potential fallout from this breach extends beyond the immediate concerns of HPE and its clients. It raises broader questions about the cybersecurity landscape and the need for a collective effort to address the escalating threats faced by organizations globally. 

As the investigation unfolds, HPE will likely face increased scrutiny from industry regulators and cybersecurity experts. The incident serves as a stark reminder that no organization is immune to cyber threats, and constant vigilance and adaptation are imperative in safeguarding digital assets. 

In the wake of the reported breach at HPE and the emergence of sensitive data on a hacking forum, the incident serves as a poignant reminder of the perpetual challenges organisations face in safeguarding their digital assets. As HPE undertakes a thorough investigation and implements measures to mitigate potential repercussions, the broader cybersecurity landscape calls for renewed vigilance, adaptability, and collaborative efforts. The evolving tactics of cybercriminals underscore the necessity for constant innovation in cybersecurity strategies. 

The aftermath of this breach will likely resonate across industries, prompting a collective reflection on the imperative of proactive measures and the ongoing commitment required to stay ahead of ever-evolving cyber threats in our digitally interconnected world.
Read more »
Vulnerability and Exploits
data security Device Security HPE Vulnerability and Exploits

How vulnerability in Brocade Might Affect Major Companies


Broadcom disclosed that few softwares made by Brocade, its storage network subsidiary, is hit by various vulnerabilities, and the exploits can affect the products of various big companies. A similar incident happened with HPE earlier this year.

How does the vulnerability impact?

The Brocade SAN (storage area network) management app is impacted by 9 flaws, the patches are available for these security holes. 

Six vulnerabilities affect third-party products like Open SSL, Oracle Java, and NGINX, these are rated "medium severity" and "low severity."

A hacker can exploit these vulnerabilities (unauthorised attacker) and modify data, decode data, and make a Denial of Service (DoS) situation. 

The other three vulnerabilities are limited to Brocade SANnav, these are given "high" severity risk and impact ratings. 

The vulnerabilities let a hacker access switch and server passwords from log files, and hack potential sensitive info via static key ciphers.

About the vulnerability

The security flaws (CVE-2022-28167, CVE-2022-28168 and CVE-2022-28166) were discovered internally and currently no use of the exploit in the wild has been found. 

But the storage solutions of several companies that collaborate with Brocade can be impacted by these flaws. 

HPE in its advisory told the customers that the company's B series SANNav Management Portal is impacted by the exploits and suggested the customers to install the latest updates. 

The flaws can be exploited locally and remotely to leak sensitive info, attempt unauthorised access and modify data cause partial Denial of Service.

Other info related to Brocade vulnerability 

Another Brocade partner NetApp released individual advisories for the Brocade specific SANNav vulnerabilities. The NetApp products have not been affected. Brocade also partners with other big tech companies for storage solutions that include Huawei, Dell, Lenovo, IBM and Fujitsu. 

Security Week says "one of the other Brocade OEM partners appear to have published advisories for the SANnav vulnerabilities so it’s unclear if their products are also impacted. In the past, at least some of them did publish advisories to notify their customers about SANnav flaws."









Read more »
User Security
Data Breach Hackers HPE User Data User Security

Hackers Used a Stolen Access Key to Gain Access to Aruba Central

 

HPE has revealed that data repositories for its Aruba Central network monitoring technology have been hacked, allowing a threat actor to gain access to collected data on monitored devices and their whereabouts. Aruba Central is a cloud networking platform that lets administrators manage massive networks and components from a single dashboard. A threat actor gained an "access key" that allowed them to examine customer data stored in the Aruba Central environment. Between October 9th, 2021, and October 27th, 2021, when HPE revoked the key, the threat actor had access for 18 days. 

"The customer personal data in the exposed data repositories consists of device media access control (MAC) address, IP address, device operating system type, and hostname, and, for Wi-Fi networks where authentication is used, the username," HPE and Aruba told customers. "The data repositories also contained records of date, time and the physical Wi-Fi access point where a device was connected, which could allow the general vicinity of a user's location to be determined." 

Two datasets were exposed in the repositories, one for network analytics and the other for Aruba Central's 'Contract Tracing' feature. The key was automatically turned off on Oct. 27 as part of HPE's standard security measures, according to the company. The breach was found and reported on Nov. 2, six days after the key was deactivated, according to the company. 

"Security monitoring tools deployed inside the Aruba Central environment alerted our Security Operations team to suspicious activity," the company said in its FAQ. "The team investigated the activity and on Nov. 2, 2021 concluded that it had been unauthorized." 

In several areas, the FAQ was noticeably lacking in information. For example, the Aruba team estimates that the amount of exfiltrated client data is "extremely tiny, if any at all." However, the corporation is unable to say which specific customers' information was stolen, or which files were accessed and when. Despite the fact that these Aruba Central repositories include client data, the firm claims it does not enable logging for individual file access because the repositories are "used for streaming of high-volume machine learning data."

While the stolen data may not pose a significant security risk in terms of launching subsequent attacks, the physical telemetry and location data of Aruba Central users could be exploited, especially because no one knows who was exposed and what files were seen by the invader as of right now.
Read more »
Vulnerabilities and Exploits
Airwave Management Chained Attack HP HPE Mac Root Access Sudo Flaw Vulnerabilities and Exploits

HPE: Sudo Flaw Grants Attackers Root Privileges to Aruba Platform

 

A vulnerability in Sudo, open-source software used within HP's Aruba AirWave management platform, can enable any unprivileged and unauthorized local user to acquire root privileges on a vulnerable host, as warned by Hewlett Packard Enterprise (HPE). 

According to a recent HPE security advisory, the Sudo vulnerability may be part of a "chained attack." An attacker gains a foothold with fewer rights via another flaw and then exploits this to escalate privileges. 

The Aruba AirWave management platform for wired and wireless infrastructures is HPE's real-time monitoring and security warning system. In January, researchers at Qualys discovered the Sudo issue (CVE-2021-3156) and think it affects millions of endpoint devices and systems. 

According to the Sudo license, Sudo is software used by various platforms that allows a system admin to distribute power to give particular users (or groups of users) the ability to perform certain (or all) commands as root or another user.” 

Mehul Revankar, Qualys' VP of Product Management and Engineering, defined the Sudo bug as "perhaps the most significant Sudo vulnerability in recent memory (both in terms of scope and impact) and has been hiding in plain sight for nearly 10 years" in a research note at the time it was discovered. 

For HPE, the company officially reported the issue last week, stating that it impacted the AirWave management platform prior to version 8.2.13.0, released on June 18, 2021. 

According to the security bulletin, “A vulnerability in the command line parameter parsing code of Sudo could allow an attacker with access to Sudo to execute commands or binaries with root privileges.” 

The Sudo vulnerability has been termed "Baron Samedit" by Qualys researchers, who claim the flaw was introduced into the Sudo code in July 2011. The problem was first thought to primarily affect Linux and BSD operating systems, including Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33. (Sudo 1.9.2). 

Since then, further security advisories have been issued by other companies. HPE isn't the first company to report a Sudo dependency in its code, and it probably won't be the last. 

However, in February, an Apple security advisory warned that the Sudo vulnerability was present in macOS (macOS Big Sur 11.2, macOS Catalina 10.15.7, macOS Mojave 10.14.6). Following the announcement, Apple released a Sudo patch (Sudo version 1.9.5p2) to fix the vulnerability. 

Mitigate The Risk

According to experts, the flaw may be exploited to carry out privilege escalation attacks in the context of the Aruba AirWave management platform Sudo's flaw is a heap-based buffer overflow that allows any local user to deceive Sudo to operate in shell mode. 

Researchers explain that when Sudo is executed in shell mode, it "escapes special characters in the command's parameters with a backslash." Then, a policy plug-in eliminates any escape characters before deciding on the Sudo user's permissions.” 

Users should upgrade to version 8.2.13.0 or above of HPE's AirWave management platform to mitigate the potential risk, according to HPE. Sudo issued a fix earlier this year as well, for HPE AirWave, a technical fix is also available:

“To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for AirWave be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above,” as per HPE.
Read more »
Vulnerabilities and Exploits
HPE Security Patch SIM Vulnerabilities and Exploits

HPE Patches the Zero-Day Vulnerabiity in Systems Insight Manager Software for Windows

 

Hewlett Packard Enterprise (HPE) has released a security update to patch critical zero-day remote code execution (RCE) vulnerability in its HPE Systems Insight Manager (SIM) software for Windows that it initially revealed in December 2020.

HPE updated its original security advisory on Wednesday. However, the SIM hotfix update kit which resolves the flaw was published more than a month ago, on April 20. HPE SIM is a management and remote support automation tool for Windows and Linux intended to be used with the company's servers, storage, and networking products, including the HPE ProLiant Gen10 and HPE ProLiant Gen9. 

Security researchers labeled the flaw (CVE-2020-7200) as an ‘extremely high-risk’ flaw. It allows attackers with no privileges to remotely execute the code and is commonly found in the latest versions (7.6.x) of HPE’s SIM software and specifically targets the Windows version. This bug allows low-complexity attacks that don’t require user interaction.

“This module exploits this vulnerability by leveraging an outdated copy of Commons Collection, namely 3.2.2, that ships with HPE SIM, to gain remote code execution as the administrative user running HPE SIM,” according to Packet Storm. The lack of proper validation of user-supplied data can lead to the deserialization of untrusted data, enabling attackers to execute code on servers running vulnerable SIM software.

HPE has released a security advisory for the system admins who are unable to deploy the CVE-2020-7200 security update on vulnerable systems. To safeguard your devices, HPE has provided mitigation measures that involve removing the “Federated Search” & “Federated CMS Configuration” features that allowed the vulnerability.

System admins who use the HPE SIM management software have to use the following procedure to block CVE-2020-7200 attacks: 

1. Stop HPE SIM Service 

2. Delete file from sim installed path del /Q /F C:\Program Files\HP\Systems Insight Manager\jboss\server\hpsim\deploy\simsearch.war 

3. Restart HPE SIM Service

4. Wait for HPE SIM web page "https://SIM_IP:50000" to be accessible and execute the following command from command prompt. mxtool -r -f tools\multi-cms-search.xml 1>nul 2>nul

By following the above procedures system admins can be prevented from being exploited by potential attackers, it will also mean that HPE SIM users can no longer use the federated search feature.
Read more »
Vulnerability and Exploits
HP HPE Remote Access Tool Vulnerability and Exploits

HP Enterprise Suffers Critical Bug, Requests Users To Update

 

Experts had already alarmed that HPE's (Hewlett Packard Enterprise) unpatched Edgeline Infrastructure Manager versions were vulnerable to remote authentication bypass breach. HP is requesting its customers to patch one of the company's top-class application management software that lets hackers launch a remote authentication bypass attack and gain access to customer's cloud infrastructure. The bug with a CVSS score of 9.8, is rated critical. It impacts all variants of HPE's EIM (Edgeline Infrastructure Manager) ahead of variant 1.21. 

The edge computing management suite of HPE, EIM is two years old. Users are advised to immediately install HPE EIM AV1.22 or later updates for bug fixes. In a security bulletin posted recently, HPE Product Security Response Team wrote, “a security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to the execution of arbitrary commands, gaining privileged access, causing a denial of service, and changing the configuration." 

About the bug 

Remote authentication-bypass vulnerability is related to a problem linked to how HPE manages reset passwords for admin accounts. If a user logs in for the first time with a default password for an active administrator account, he is asked to change the password for the account. It is carried out by sending a request to URL redfish/v1/SessionService/ResetPassword/1. But, when the password is changed, a malicious remote hacker can exploit the same URL to change the password for an administrator account. Next, the hacker has to simply log in with the updated admin account password by sending a request to a URL. 

After that, hackers can change the password of the OS root account by sending a request to URL /redfish/v1/AccountService/Accounts/1. "It allows the attacker to SSH to the EIM host as root. SSH stands for Secure Shell or Secure Socket Shell and is a network protocol that is most often used by system administrators for remote command-line requests, system logins, and also for remote command execution," reports threat post. Cybersecurity firm Tenable has also uploaded proof of the attack.
Read more »
Networks Breached
China Hackers. HPE IBM Networks Breached

Hewlett Packard Enterprise and IBM Networks Breached by China; Clients Targeted




In order to gain access to the clients' computer, hackers of the China's Ministry of State Security breached the networks of Hewlett Packard Enterprise and IBM.

Being a part of the Chinese campaign Cloudhopper, the attacks tainted technology service providers in order to steal secrets from their clients. While the International Business Machines Corp said it had no proof regarding the sensitive corporate data being co promised, Hewlett Packard Enterprises (HPE) simply chose not to comment on the campaign.

Albeit multiple warnings were issued by numerous administration organizations in addition to many cybersecurity firms about the Cloudhopper danger since 2017, the identity of  the technology companies whose networks were imperilled has still not being revealed yet.

As indicated by a U.S. federal indictment of two Chinese nationals unsealed on the 20th of December, Cloudhopper was for the most part centered on targeting the MSPs in order to easily access the client networks and stealing corporate secrets from organizations around the world.

While both IBM and HPE refused to comment on the explicit claims made by the sources, however they did give a statement each,

"IBM has been aware of the reported attacks and already has taken extensive counter-measures worldwide as part of our continuous efforts to protect the company and our clients against constantly evolving threats. We take responsible stewardship of client data very seriously, and have no evidence that sensitive IBM or client data has been compromised by this threat."

HPE said,"The security of HPE customer data is our top priority. We are unable to comment on the specific details described in the indictment, but HPE's managed services provider business moved to DXC Technology in connection with HPE's divestiture of its Enterprise Services business in 2017." 

Reuters was neither able affirm the names of other breached technology firms nor recognize any affected users.

Cloudhopper, which has been focusing on technology services providers for quite a long while, is known to have been penetrated the systems of HPE and IBM on numerous occasions in breaches that have gone on for a considerable length of time.

While IBM examined an attack as of late as this mid-year, HPE was not far behind as it directed a huge breach investigation in mid-2017.

Read more »
Subscribe to: Posts (Atom)