HPE OneView Vulnerability Let Attacker Bypass Authentication

In the Hewlett Packard Enterprise OneView Software, three security flaws have been identified, which might be remotely exploited to allow authentication bypass, disclosure of sensitive information, and denial of service.

HPE OneView is an integrated IT infrastructure management software that automates IT operations and streamlines infrastructure lifecycle management, including computing, storage, and networking.

EHA

Vulnerabilities Disclosed

CVE-2023-30908 – Remote Authentication Bypass

This vulnerability, with a CVSS score of 9.8, enables an attacker to bypass authentication and obtain unauthorized access to HPE OneView. The flaw is caused by the way HPE OneView manages user credentials. 

An attacker might take advantage of this vulnerability by sending the HPE OneView server a specially crafted request.

The CVE-2023-30908 flaw was reported by Sina Kheirkhah (@SinSinology) of the Summoning Team (@SummoningTeam) in association with the Trend Micro Zero Day Initiative.

CVE-2022-4304 –  Disclosure of Sensitive Information

A timing-based side channel in the RSA Decryption implementation in OpenSSL may allow a remote attacker to get sensitive information. An attacker might exploit this issue by sending an excessively large number of trial messages for decryption.

CVE-2023-2650 – Denial of Service

A remote attacker might exploit this issue to launch a denial of service (DoS) attack on HPE OneView. The flaw is in the way OpenSSL handles the OBJ_obj2txt() method.

An attacker might take advantage of this flaw by sending a specially crafted request to the HPE OneView server.

Impacted Versions

HPE OneView – Prior to v8.5 and v6.60.05 patch

Fix Available

To address these vulnerabilities in the Hewlett Packard Enterprise OneView Version 8.5 and 6.60.05 patch, HPE has released the following software upgrade.

  • Hewlett Packard Enterprise OneView v8.5 or later
  • Hewlett Packard Enterprise OneView v6.60.05 LTS

You can visit the HPE Support Center to download the latest software.

HPE has issued fixes for the impacted HPE OneView versions. To protect systems from these vulnerabilities, users should apply the updates as soon as feasible.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.