HPE has released a new security bulletin disclosing a zero-day vulnerability in the latest version of its Systems Insight Manager (SIM) server software.
HPE SIM is a management and remote support automation solution for Windows and Linux intended to be used with the company’s servers, storage and networking products.
The recently disclosed zero-day vulnerability, tracked as CVE-2020-7200, was first reported by security researcher Harrison Neal through Trend Micro’s Zero Day Initiative and it affects version 7.6 of the company’s SIM software.
Although HPE has released mitigation info for the vulnerability and is currently working on a patch to fully address the issue, it did not reveal whether the zero-day is being actively exploited in the wild.
Remote code execution
HPE has given the vulnerability a critical severity rating of 9.8 as it can be exploited by attackers with no privileges to remotely execute code on servers running the vulnerable version of its SIM software.
In its security bulletin, the company explained that the vulnerability can be mitigated by disabling SIM’s “Federated Search” and “Federated CMS Configuration” features. HPE will also release a complete fix that prevents the remote code execution vulnerability in the coming weeks.
For now though, system admins who use HPE’s SIM management software will need to stop the HPE SIM Service, delete the simsearch.ware file, restart the service and execute the command “mxtool -r -f tools\multi-cms-search.xml 1>nul 2>nul” from a command prompt.
While this will prevent the vulnerability from being exploited by potential attackers, it will also mean that HPE SIM users can no longer use the federated search feature.
Via BleepingComputer