A new vulnerability has been discovered in HPE OneView virtual appliance, an integrated IT management solution that provides comprehensive control over data centers, infrastructure, and assets. The potential exploit resides in the "Migrate server hardware" option in HPE OneView, which may expose sensitive information to unauthorized users through a support dump. "Migrate server hardware" is a feature that allows users to move servers from one hardware type to another without causing downtime.
This vulnerability has been assigned the CVE (Common Vulnerabilities and Exposures) ID CVE-2023-28091.
Affected Versions
All HPE OneView releases prior to version 6. are affected by this vulnerability.
Code Snippet
When the migration process kicks off, there are a series of commands that are executed, ultimately leading to the exposure of sensitive information in a support dump file. An example of this can be seen below:
def migrate_server_hardware(src_hardware, dest_hardware, verbose=False):
src_hardware.acquire_resources()
dest_hardware.prepare_resources()
if verbose:
print("Migrating from", src_hardware, "to", dest_hardware)
# ...
try:
src_hardware.decommission()
dest_hardware.provision()
except Exception as e:
if verbose:
print("Error:", e)
return e
# Save support dump here
support_dump = HPEOneViewSupportDump.create(src_hardware, dest_hardware, e)
# Potential exposure of sensitive information
support_dump.save('/path/to/output')
return e
In this code snippet, the migrate_server_hardware function carries out the server migration process. If an exception occurs during the process, a support dump is created that contains sensitive information contained within the src_hardware and dest_hardware objects. This support dump is then saved to a defined output path.
Exploit Details
If an attacker gains access to a system running HPE OneView with this vulnerability, they could potentially extract sensitive information, such as:
Server hardware configuration details
- API keys, tokens, and/or authentication credentials used for connecting to other infrastructure components
Log files containing information about assets, services, and data center operations
By obtaining this information, attackers may gain unauthorized access to an organization's network, execute malicious code or commands, disrupt data center operations, and conduct further attacks leveraging the exposed information.
HPE OneView Security Bulletin:
[https://www.hpe.com/us/en/solutions/security-vulnerability.html]
CVE-2023-28091 in NVD (National Vulnerability Database):
[https://nvd.nist.gov/vuln/detail/CVE-2023-28091]
To mitigate this vulnerability, HPE recommends that users follow these steps
1. Upgrade their HPE OneView software to version 6. or later. This version contains the necessary security patches that prevent the exposure of sensitive information in support dumps. The updated version is available for download from the HPE OneView Support portal: [https://support.hpe.com]
2. Restrict access to HPE OneView virtual appliances to authorized users only. This can be done by implementing role-based access control (RBAC) and other security best practices to limit the number of users with access to sensitive functions (e.g., server hardware migration).
3. Regularly review access logs and security events associated with HPE OneView installations. Maintain logs and monitor for any suspicious activities that may indicate unauthorized access, data exfiltration, or attempts to exploit other vulnerabilities.
Conclusion
Addressing the CVE-2023-28091 vulnerability in HPE OneView is crucial for organizations to maintain the security of their data centers and infrastructure. By upgrading to the latest software version and following best practices in access control and monitoring, organizations can significantly reduce the risk associated with this exploit.
Timeline
Published on: 04/14/2023 15:15:00 UTC
Last modified on: 04/21/2023 03:46:00 UTC