28 Aug 2012

Five Zero-Day HP Software Bugs Disclosed Before Patching Puts Companies at Risk


Five zero-day security holes in five enterprise software applications from Hewlett-Packard have been publicly disclosed by the Zero Day Initiative (ZDI). The decision was taken after more than six months in which the application vendor, although duly notified, was unable to fix the issues.

Computer users running the HP LeftHand Virtual SAN, the HP Operations Agent for NonStop, HP Intelligent Management Center, the HP iNode Management Center or HP Diagnostics Center can fall victim to remote exploitation that results in arbitrary code execution (or having malware run on your PC) with full SYSTEM privileges.

Although the ZDI notified Hewlett-Packard in late 2011, the vendor did not release patches to mitigate the exploitation. Since these applications are usually encountered in enterprise and corporate infrastructures, their mere presence on the machines puts customers at danger.

It is unclear whether HP will release patches for the vulnerable applications or directly release new versions of them. However, until these security gaps are closed, users can only ensure they minimize network exposure for the machines running vulnerable applications and that they install a complete antivirus solution to block the exploit or the payload it delivers.