HPSBGN01009 SSRT4726 rev.2 - Carrier Grade, Remote Unauthorized Access to Offline Utilities

  • KM02992237
  • 17-Oct-2017
  • 17-Oct-2017

Summary

A potential security vulnerability has been identified with certain HP Carrier Grade Servers resulting in remote unauthorized access to certain offline utilities.

Reference

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM02992237 (c01037314)

Version: 1

HPSBGN01009 SSRT4726 rev.2 - Carrier Grade, Remote Unauthorized Access to Offline Utilities
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2004-04-05

Last Updated: 2007-04-25


Potential Security Impact: Remote unauthorized access to offline utilities

Source: Hewlett Packard Enterprise, HPE Product Security Response Team

VULNERABILITY SUMMARY

A potential security vulnerability has been identified with certain HP Carrier Grade Servers resulting in remote unauthorized access to certain offline utilities.

References: Intel Action Alert AA-679-1

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP systems that are impacted: 

· hp carrier grade server cc2300 - A6898A, A6899A 
· hp carrier grade server cc3300 - A6900A, A6901A 
· hp carrier grade server cc3310 - A9862A, A9863A 

BACKGROUND

Intel has notified HP and other computer manufacturers of an issue with four Intel® server setup utilities per Intel Action Alert AA-679-1. 

· System Setup Utility (SSU) 

· Client System Setup Utility (CSSU) 

· Server Configuration Wizard (SCW) 

· CLI Auto-configuration Utility 

An invalid firmware setting is present after using Intel server setup utilities to configure LAN management. This issue has the potential to affect system security, resulting in unauthorized access to certain offline utilities. If LAN Management is not enabled the system will not be affected by this issue. 

The problem has not been reported by any HP customers. However, because Intel is strongly committed to delivering high quality products, it has developed a utility to correct the invalid firmware settings. The BmcLanFix utility and instructions are listed at the following Intel web site: http://support.intel.com/support/motherboards/server/sb/CS-010422.htm Non-HPE site

HP and Intel strongly recommend that customers who enable LAN management download the BmcLanFix utility and run it to correct the invalid configuration on servers that have IPMI based LAN management enabled. This utility must be run whenever enabling LAN Management. Additionally, the utility must be reapplied whenever the configuration is saved while LAN Management is enabled.

If you have questions or require help, please contact your local HP support representative or sales office. We appreciate your business and look forward to serving your future computing needs. 

Regards, 

Hewlett-Packard Company

RESOLUTION

HP and Intel strongly recommend that customers who enable LAN management download the BmcLanFix utility and run it to correct the invalid configuration on servers that have IPMI based LAN management enabled. This utility must be run whenever enabling LAN Management. Additionally, the utility must be reapplied whenever the configuration is saved while LAN Management is enabled.

The BmcLanFix utility and instructions are listed at the following Intel web site:http://support.intel.com/support/motherboards/server/sb/CS-010422.htm Non-HPE site

HISTORY 
Revision: 0 (rev.0) - 5 April 2004 Initial release 
Version: 1 (rev.1) - Skipped for formatting reasons 
Version: 2 (rev.2) - 26 April 2007 Reformatted

©Copyright 2016 Hewlett Packard Enterprise Company, L.P.
Hewlett Packard Enterprise Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Company and the names of Hewlett Packard Enterprise Company products referenced herein are trademarks of Hewlett Packard Enterprise Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.