There are multiple vulnerabilities in HP’s Insight Diagnostics server management tool that could be exploited by an attacker to run code and let them take over an infected computer. There is currently no fix available for the problem.
According to an alert from the CERT Coordination Center, versions 22.214.171.12410 and earlier versions of HP’s software are at risk.
Two flaws are addressed in the vulnerability note: CVE-2013-3574, External Control of File Name or Path and CVE-2013-3573, Improper Neutralization of Special Elements in Output Used by a Downstream Component Injection.
A third, something CERT is calling Improper Control of Filename for Include/Require Statement in PHP Program, or CVE-2013-3575, is also mentioned.
When all of the vulnerabilities are combined, an attacker could remotely execute arbitrary PHP commands on a server with administrator privileges. When only the first two are combined, it grants an attacker the ability to inject arbitrary data into a file stored in an arbitrary location using a the “devicePath” parameter.
According to CERT, both bugs were dug up by Markus Wulftange, a security consultant at the German IT firm Daimler TSS.
Intended for small and medium businesses, HP’s Insight Diagnostics is a Web-based tool that lets IT administrators troubleshoot and repair problems on Windows and Linux-based machines. While emails to HP asking when it plans to fix the vulnerabilities went unanswered on Monday, when it comes to fixes, HP usually sends email updates to customers when patches are released for their products.