Sign in / up

back to article HP perfomance monitor can climb through Windows

Rapid7 is advising HP SiteScope users to run the tool on Linux rather than Windows servers because of a nasty privilege escalation vulnerability. The agentless monitoring environment that headlines HP's operational management offerings lets authenticated users run commands with system privilege, the security bods explain. The …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    HP+Security makes me laugh.

    I've seen many security problems in HP products. "HP Storage ESL" comes to mind it has by default a web server running, no login required that allows reboots.

    2 0 Reply
  2. a_yank_lurker

    Again?

    It sounds like the real solution is to run a script during installation to reset the parameters to a more safe instance. Since it does not need root privileges in Linux is there a good reason why admin privileges are needed in Windows?

    2 0 Reply
    1. david 12 Silver badge
      Reply Icon

      Re: Again?

      "SYSTEM" is not an account. It is a SID, a role, an account type. And that SID, by itself, doesn't work for most network tasks, so whatever account they are using must also include a SID that does have network privileges.

      There probably is a good reason why it needs a privilege in Windows which doesn't exist in Linux. It could be anything, and it might not even be a privilege associated with the SYSTEM role: it might be a privilege associated with the other role.

      0 0 Reply
  3. Mikel

    Always good advice

    Heed it with everything else too.

    2 0 Reply
  4. Anonymous Coward
    Anonymous Coward

    Please tell me they don't use a shell to perform a DNS query...

    ... but from what I see it looks again sloppy developers took a dangerous shortcut.

    0 0 Reply
  5. anonymous boring coward Silver badge

    Would it be too much to ask that SiteScope was fixed?

    1 0 Reply
    1. Fatman
      Reply Icon
      Joke

      Wishful thinking

      <quote>Would it be too much to ask that SiteScope was fixed?</quote>

      No, because the "fix budget" was blown by the Autonomy purchase.

      2 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like