Skip to main content

HPE's server software has 'critical' security flaw

HPE
(Image credit: Hewlett Packard Enterprise)
Audio player loading…

HPE (opens in new tab) has released a new security bulletin disclosing a zero-day vulnerability in the latest version of its Systems Insight Manager (SIM) server software.

HPE SIM is a management and remote support automation solution for Windows and Linux intended to be used with the company's servers, storage and networking products.

The recently disclosed zero-day vulnerability, tracked as CVE-2020-7200, was first reported by security researcher Harrison Neal through Trend Micro's Zero Day Initiative (opens in new tab) and it affects version 7.6 of the company's SIM software.

Although HPE has released mitigation info for the vulnerability and is currently working on a patch to fully address the issue, it did not reveal whether the zero-day is being actively exploited in the wild.

Remote code execution

HPE has given the vulnerability a critical severity rating of 9.8 as it can be exploited by attackers with no privileges to remotely execute code on servers running the vulnerable version of its SIM software.

In its security bulletin (opens in new tab), the company explained that the vulnerability can be mitigated by disabling SIM's “Federated Search” and “Federated CMS Configuration” features. HPE will also release a complete fix that prevents the remote code execution vulnerability in the coming weeks.

For now though, system admins who use HPE's SIM management software will need to stop the HPE SIM Service, delete the simsearch.ware file, restart the service and execute the command “mxtool -r -f tools\multi-cms-search.xml 1>nul 2>nul” from a command prompt.

While this will prevent the vulnerability from being exploited by potential attackers, it will also mean that HPE SIM users can no longer use the federated search feature.

Via BleepingComputer (opens in new tab)

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.