Beware: HP Device Manager Has Backdoor

The backdoor can gain unauthorized access to remote command execution and be exploited to achieve privilege. Businesses should follow mitigation processes provided by HP.

There has been an uptick in cyber-attacks and data breaches in 2020. While this increases each year, this year feels especially hard hit, likely due to the COVID-19 pandemic. With everyone working from home, businesses are strained and systems are breaking down, making them easier to exploit. On top of that, now businesses that use HP Device Manager have to take action to mitigate a vulnerability that was put there by HP itself.

According to The Register, “Nicky Bloor, founder of Cognitous Cyber Security, reports that an HP Inc programmer appears to have set up an insecure user account in a database within HP Device Manager (HPDM). He found that the account can be exploited to achieve privilege escalation and, in conjunction with other flaws, gain unauthorized remote command execution as SYSTEM.

This is bad: if you can reach a vulnerable installation of this device manager on a network, you can gain admin-level control over its machine and the thin clients it controls. HPDM typically runs on a Windows-powered server, and directs multiple Windows clients.”

This is a nightmare for businesses that use HPDM, and it’s a dream for an attacker. Bad actors, like any other criminal, want to get the most bang for their buck. They don’t want to exert a lot of energy, but they want a big payday. If a bad actor gains admin-level control over one machine, they can use that access to gain entry to other machines. They can practically do whatever it is they want to do and they haven’t broken a sweat.

Cyber Observer says the 8 most common causes of a data breach are:

  • Weak and Stolen Credentials, a.k.a. Passwords
  • Back Doors, Application Vulnerabilities
  • Malware
  • Social Engineering
  • Too Many Permissions
  • Insider Threats
  • Improper Configuration and User Error

Back doors, application vulnerabilities and improper configuration all fit the HP problem.

Bloor brought this vulnerability to the attention of HP, which did not immediately respond. When he said he was going to go public, they quickly changed their tune. On September 30, HP acknowledged the problem and shared an update on the resolution timeline. Weak Cipher and Remote Method Invocation are affected on all versions of HPDM, while Elevation of Privilege affects versions 5.0.0 to 5.0.3. The page goes on to outline mitigations you can take while their security team works on a patch, so be sure to read their resolution guidelines to limit your risk.

Businesses are so trained and on high alert to look for data breaches via a cyber-attack, whether it’s malware or phishing or something else. They aren’t looking at their management system for vulnerabilities, they trust their provider to ensure that security. 

This is the exact reason businesses should always hire an expert when implementing something new, and should employ someone who can maintain that system as well as keep it updated. When something new is being implemented, no matter if you trust where it came from, your expert should ensure there are no vulnerabilities built into the system. You have to do whatever it takes to protect your business, and that means protecting your customers, clients, business partners and proprietary information.

We continually discuss how important it is to safeguard sensitive information, how important it is to hire an expert to assist with cloud migration, security protocols and having proper backups in place. Vulnerabilities are a problem, bad actors, insider threats and hackers are a problem. Ensure that you aren’t the next victim, build more into your InfoSec and CyberSec budgets because this isn’t going to go anywhere. Protection is paramount to success.

About the Author

PWV Consultants is a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. Founded by 20-year software engineering veterans, who have founded or co-founder several companies. PWV experts act as a trusted advisors and mentors to numerous early stage startups, and have held the titles of software and software security executive, consultant and professor. PWV's expert consulting and advisory work spans several high impact industries in finance, media, medical tech, and defense contracting. PWV's founding experts also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY