Input validation error in Certain HPE StoreEasy Servers

1) Input validation error

EUVDB-ID: #VU69115

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-26006

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in the BIOS firmware. A local user can run a specially crafted program to escalate privileges on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

StoreVirtual 3000 Storage: before 3.04_08_04_2022

HPE 3PAR StoreServ File Controller v3 System: before 3.04_08_04_2022

HPE StoreEasy 1650 Expanded Storage: before 3.04_08_04_2022

HPE StoreEasy 3850 Gateway Storage: before 3.04_08_04_2022

HPE StoreEasy 1850 Storage: before 3.04_08_04_2022

HPE StoreEasy 1650 Storage: before 3.04_08_04_2022

HPE StoreEasy 1550 Storage: before 3.04_08_04_2022

HPE StoreEasy 1450 Storage: before 3.04_08_04_2022

HPE StoreVirtual 3000 File Controller: before 3.04_08_04_2022

External links

http://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf04375en_us

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.