Bugtraq mailing list archives
[DSECRG-09-011] HP StorageWorks 1_8 G2 Tape Autoloader - privilege escalation DOS
From: Alexandr Polyakov <alexandr.polyakov () dsec ru>
Date: Wed, 3 Feb 2010 20:14:05 +0300
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-011 Application: HP StorageWorks 1/8 G2 Tape Autoloader Versions Affected: firmware v 2.30 and earlier Vendor URL: http://hp.com/ Bug: Privilege escalation Exploits: YES Reported: 30.09.2008 Vendor Response: 30.09.2008 Date of Public Advisory: 10.01.2010 Solution: yes CVE: CVE-2009-2680 CVSS 2.0: 8.5 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *********** Vulnerability found in Web Administration Interface of device HP StorageWorks 1/8 G2 Tape Autoloader. Default unprivileged user can escalate privileges to administrator. Details ******* http://dsecrg.com/pages/vul/show.php?id=111 About ***** Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com Polyakov Alexandr. PCI QSA. Head of security audit department Head of Digital Security Research Group ______________________ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polyakov () dsec ru www.dsec.ru www.dsecrg.com www.pcidss.ru ----------------------------------- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ----------------------------------- ---------- Конец пересылаемого письма ---------- -- Polyakov Alexandr Head of security audit department Head of Digital Security Research Group ______________________ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polyakov () dsec ru www.dsec.ru ----------------------------------- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. -----------------------------------
--- Begin Message --- From: Alexandr Polyakov <alexandr.polyakov () dsec ru>
Date: Mon, 11 Jan 2010 13:57:26 +0300
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-011 Application: HP StorageWorks 1/8 G2 Tape Autoloader Versions Affected: firmware v 2.30 and earlier Vendor URL: http://hp.com/ Bug: Privilege escalation Exploits: YES Reported: 30.09.2008 Vendor Response: 30.09.2008 Date of Public Advisory: 10.01.2010 Solution: yes CVE: CVE-2009-2680 CVSS 2.0: 8.5 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *********** Vulnerability found in Web Administration Interface of device HP StorageWorks 1/8 G2 Tape Autoloader. Default unprivileged user can escalate privileges to administrator. Details ******* http://dsecrg.com/pages/vul/show.php?id=111 About ***** Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com Polyakov Alexandr. PCI QSA. Head of security audit department Head of Digital Security Research Group ______________________ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polyakov () dsec ru www.dsec.ru www.dsecrg.com www.pcidss.ru ----------------------------------- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. -----------------------------------
--- End Message ---
Current thread:
- [DSECRG-09-011] HP StorageWorks 1_8 G2 Tape Autoloader - privilege escalation DOS Alexandr Polyakov (Feb 03)