Five 0days: HP in the security dock
In compliance with its policies, the Zero Day Initiative (ZDI) has now released five security holes that HP has had more than six months to fix. All of the zero-day holes affect products in HP's enterprise and networking divisions:
- HP LeftHand Virtual SAN
- HP Operations Agent for NonStop
- HP Intelligent Management Center
- HP iNode Management Center
- HP Diagnostics Server
In all five products, remote attackers can exploit programming flaws to inject and execute arbitrary code via specially crafted requests – sometimes even at SYSTEM user level. This is considered the highest threat level. In all five cases, the ZDI informed the company of the problems at the end of 2011. Yet HP failed to release patches for any of these critical security holes – hence the name zero-day, or 0day: customers have no advance notice to prepare for potential attacks that exploit these holes. Also, HP has not yet responded to requests for comment from heise Security, The H's associates in Germany.
Because many companies made no move to fix the security holes that were reported to them, two years ago, the ZDI announced that it would in future disclose such holes after 180 days if companies failed to respond. The vulnerability brokers have repeatedly enforced their policy. The fact that the ZDI didn't manage to convince HP of the serious nature of the current problems casts HP in a bad light.
The ironic nature of the state of affairs becomes evident when visiting the home page of TippingPoint, the company that runs the Zero Day Initiative: the link leads straight to HP Enterprise Security because HP took over TippingPoint when it acquired 3Com. In fairness, it should be mentioned that this company division isn't responsible for the security of (HP) software but primarily focuses on selling products that are designed to make (zero-day) security holes more difficult to exploit: "HP is a leading provider of security and compliance solutions for modern enterprises that want to mitigate risk in their hybrid environments". In other words: those who want to avoid being targeted via existing security holes can find suitable security products in HP's range.