News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • If your organization uses HP Device Manager to control thin clients, you need to plug this hole now

    Posted on September 30th, 2020 at 05:01 woody Comment on the AskWoody Lounge

    News early this morning from Thomas Claburn at The Register

    HP Device Manager, software that allows IT administrators to manage HP Thin Client devices, comes with a backdoor database user account… the account can be exploited to achieve privilege escalation and, in conjunction with other flaws, gain unauthorized remote command execution as SYSTEM.

    This is bad: if you can reach a vulnerable installation of this device manager on a network, you can gain admin-level control over its machine and the thin clients it controls. HPDM typically runs on a Windows-powered server, and directs multiple Windows clients.

    HP just updated its security bulletin HPSBHF03689.

    There’s an updated HP Device Manager coming. In the interim, make sure you follow the HP remediation steps — and close up the hole manually following @nickstadb ‘s steps in The Reg.