HPE has disclosed a zero-day vulnerability in the latest versions of its HPE Systems Insight Manager (SIM) software for both Windows and Linux.

Hewlett Packard Enterprise (HPE) has disclosed a zero-day remote code execution flaw that affects the latest versions of its HPE Systems Insight Manager (SIM) software for Windows and Linux.

HPE SIM is a management and remote support automation solution for multiple HPE solutions, including servers, storage, and networking products.

The flaw stems from the lack of proper validation of user-supplied data that can result in the deserialization of untrusted data. The vulnerability could be exploited by attackers with no privileges without user interaction.

“A potential security vulnerability has been identified in HPE Systems Insight Manager (SIM) version 7.6. The vulnerability could be exploited to allow remote code execution.” reads the security advisory.

At the time of this writing, the issue is yes to be fixed, the IT giant only provided mitigations for Windows while it is working to address the issue.

The zero-day flaw, tracked as CVE-2020-7200, was discovered by the researcher Harrison Neal that reported it through the Trend Micro’s Zero Day Initiative.

The vulnerability affects HPE Systems Insight Manager (SIM) 7.6.x., it received a severity score of 9.8/10.

HPE did not reveal if it is aware of attacks in the wild exploiting the zero-day vulnerability.

To avoid exploitation of the issue, the company recommends removing the “Federated Search” & “Federated CMS Configuration” feature with this step-by-step procedure:

  1. Stop HPE SIM Service
  2. Delete <C:\Program Files\HP\Systems Insight Manager\jboss\server\hpsim\deploy\simsearch.war> file from sim installed path del /Q /F C:\Program Files\HP\Systems Insight Manager\jboss\server\hpsim\deploy\simsearch.war
  3. Restart HPE SIM Service
  4. Wait for HPE SIM web page “https://SIM_IP:50000” to be accessible and execute the following command from command prompt. mxtool -r -f tools\multi-cms-search.xml 1>nul 2>nul

[출처 : SecurityAffairs / 12.16.]