AD credentials can be leaked from the Management Interface for HP Anyware Connector (current and legacy)

Rate this Article
Average: 5 (1 vote)

Summary 

An insufficiently protected credentials vulnerability has been identified in the Management Interface of the HP Anyware Connector and the HP Anyware Connector Legacy for releases from April 20, 2020 and earlier (v15 and earlier for HP Anyware Connector). 

Affected releases have the potential to expose the Active Directory service account credentials that configured during HP Anyware Connector installation to an unauthenticated attacker of the service. 

 

Severity 

Critical 

 

Affected Products 

  • HP Anyware Connector v15 and earlier 
  • HP Anyware Connector (Legacy) from April 20, 2020 and earlier 

 

Available Updates 

  • HP Anyware Connector v16 and newer 
  • HP Anyware Connector (Legacy) update from April 20, 2020 onwards 

 

Workarounds and Mitigations 

Block or restrict network connectivity to https://<fqdn or ip address of Cloud Access Connector>/CloudAccessManager/ to trusted networks only to reduce the scope of exposure. 

 

References 

The following article describes this class of vulnerability (CWE-522: Insufficiently Protected Credentials)https://cwe.mitre.org/data/definitions/522.html 

 

Acknowledgements 

We would like to thank Michael Fowl and team of VDA Labs https://vdalabs.com/ team for finding and reporting this vulnerability.