Details of VAR-201802-0740

ID

VAR-201802-0740

CVE

CVE-2017-8959

TITLE

HPE MSA 1040 and MSA 2040 SAN Storage Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2017-012699

DESCRIPTION

An Authentication Bypass vulnerability in HPE MSA 1040 and HPE MSA 2040 SAN Storage in version GL220P008 and earlier and was found. HPE MSA 1040 and MSA 2040 SAN Storage Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. HPEMSA1040 and MSA2040SANStorage are storage devices of Hewlett Packard Enterprise (HPE). An elevation of privilege vulnerability exists in HPEMSA1040 and MSA2040SANStorageGL220P008 and earlier. A remote attacker can exploit this vulnerability to increase privileges. An attacker may leverage these issues to bypass the authentication mechanism and gain unauthorized access or to gain elevated privileges. This may aid in further attacks

Trust: 2.52

sources: NVD: CVE-2017-8959 // JVNDB: JVNDB-2017-012699 // CNVD: CNVD-2018-06706 // BID: 101547 // VULHUB: VHN-117162

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-06706

AFFECTED PRODUCTS

vendor:	hp	model:	msa 1040 san storage	scope:	lte	version:	gl220p008	Trust: 1.0
vendor:	hp	model:	msa 2040 san storage	scope:	lte	version:	gl220p008	Trust: 1.0
vendor:	hewlett packard	model:	hpe msa 1040 storage	scope:	lte	version:	gl220p008	Trust: 0.8
vendor:	hewlett packard	model:	hpe msa 2040 storage	scope:	lte	version:	gl220p008	Trust: 0.8
vendor:	hp	model:	msa <gl220p008	scope:	eq	version:	1040	Trust: 0.6
vendor:	hp	model:	msa san storage <=gl220p008	scope:	eq	version:	2040	Trust: 0.6
vendor:	hp	model:	msa 2040 san storage	scope:	eq	version:	gl220p008	Trust: 0.6
vendor:	hp	model:	msa 1040 san storage	scope:	eq	version:	gl220p008	Trust: 0.6
vendor:	hp	model:	msa storage gl220p008	scope:	eq	version:	2040	Trust: 0.3
vendor:	hp	model:	msa storage gl200r007	scope:	eq	version:	2040	Trust: 0.3
vendor:	hp	model:	msa storage gl220p008	scope:	eq	version:	1040	Trust: 0.3
vendor:	hp	model:	msa storage gl200r007	scope:	eq	version:	1040	Trust: 0.3
vendor:	hp	model:	msa storage gl220p009	scope:	ne	version:	2040	Trust: 0.3
vendor:	hp	model:	msa storage gl220p009	scope:	ne	version:	1040	Trust: 0.3

sources: CNVD: CNVD-2018-06706 // BID: 101547 // JVNDB: JVNDB-2017-012699 // CNNVD: CNNVD-201705-837 // NVD: CVE-2017-8959

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-8959
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-8959
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2018-06706
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201705-837
value:	HIGH
Trust: 0.6
VULHUB:	VHN-117162
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-8959
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-06706
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-117162
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-8959
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2018-06706 // VULHUB: VHN-117162 // JVNDB: JVNDB-2017-012699 // CNNVD: CNNVD-201705-837 // NVD: CVE-2017-8959

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-264	Trust: 0.9

sources: VULHUB: VHN-117162 // JVNDB: JVNDB-2017-012699 // NVD: CVE-2017-8959

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201705-837

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201705-837

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-012699

PATCH

title:	HPESBST03780	url:	https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbst03780en_us	Trust: 0.8
title:	Patch for HPEMSA1040 and MSA2040 SANStorage Privilege Escalation Vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/124323	Trust: 0.6
title:	HPE MSA 1040 and MSA 2040 SAN Storage Fixes for permission permissions and access control vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99811	Trust: 0.6

sources: CNVD: CNVD-2018-06706 // JVNDB: JVNDB-2017-012699 // CNNVD: CNNVD-201705-837

EXTERNAL IDS

db:	NVD	id:	CVE-2017-8959	Trust: 3.4
db:	JVNDB	id:	JVNDB-2017-012699	Trust: 0.8
db:	CNNVD	id:	CNNVD-201705-837	Trust: 0.7
db:	CNVD	id:	CNVD-2018-06706	Trust: 0.6
db:	BID	id:	101547	Trust: 0.3
db:	VULHUB	id:	VHN-117162	Trust: 0.1

sources: CNVD: CNVD-2018-06706 // VULHUB: VHN-117162 // BID: 101547 // JVNDB: JVNDB-2017-012699 // CNNVD: CNNVD-201705-837 // NVD: CVE-2017-8959

REFERENCES

url:	https://support.hpe.com/hpsc/doc/public/display?docid=emr_na-hpesbst03780en_us	Trust: 2.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-8959	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8959	Trust: 0.8
url:	http://www.hp.com/	Trust: 0.3

sources: CNVD: CNVD-2018-06706 // VULHUB: VHN-117162 // BID: 101547 // JVNDB: JVNDB-2017-012699 // CNNVD: CNNVD-201705-837 // NVD: CVE-2017-8959

CREDITS

David Berard of Ubisoft

Trust: 0.3

sources: BID: 101547

SOURCES

db:	CNVD	id:	CNVD-2018-06706
db:	VULHUB	id:	VHN-117162
db:	BID	id:	101547
db:	JVNDB	id:	JVNDB-2017-012699
db:	CNNVD	id:	CNNVD-201705-837
db:	NVD	id:	CVE-2017-8959

LAST UPDATE DATE

2024-11-23T21:53:22.609000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-06706	date:	2018-03-29T00:00:00
db:	VULHUB	id:	VHN-117162	date:	2019-10-03T00:00:00
db:	BID	id:	101547	date:	2017-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2017-012699	date:	2018-04-05T00:00:00
db:	CNNVD	id:	CNNVD-201705-837	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2017-8959	date:	2024-11-21T03:35:04.467

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2018-06706	date:	2018-03-29T00:00:00
db:	VULHUB	id:	VHN-117162	date:	2018-02-15T00:00:00
db:	BID	id:	101547	date:	2017-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2017-012699	date:	2018-04-05T00:00:00
db:	CNNVD	id:	CNNVD-201705-837	date:	2017-05-19T00:00:00
db:	NVD	id:	CVE-2017-8959	date:	2018-02-15T22:29:08.340