TECHNICAL BULLETIN

T-231: HP StorageWorks Remote Management Interface Vulnerability

September 15, 2009 14:00 GMT


PROBLEM:	A vulnerability was reported in HP StorageWorks Remote Management Interface. A remote user can cause denial of service conditions.
PLATFORM:	HP StorageWorks 1/8 G2 Tape Autoloader firmware v 2.30 and earlier, HP StorageWorks MSL2024 Tape Library firmware v 4.20 and earlier, HP StorageWorks MSL4048 Tape Library firmware v 6.50 and earlier, HP StorageWorks MSL8096 Tape Library firmware v 8.90 and earlier.
ABSTRACT:	A remote user can exploit a flaw in the remote management interface (RMI) for MSL Tape Libraries and 1/8 G2 Tape Autoloaders to cause unspecified denial of service conditions.

LINKS:
DOE-CIRC BULLETIN:	http://www.doecirc.energy.gov/bulletins/t-231.shtml
OTHER LINKS:	Security Tracker http://securitytracker.com/alerts/2009/Sep/1022905.html

IMPACT ASSESSMENT:	This risk is low. A remote user can cause denial of service conditions.

Discussion:
A potential security vulnerability has been identified on the HP StorageWorks Remote Management Interface (RMI) for MSL Tape Libraries and 1/8 G2 Tape Autoloaders. The vulnerability could be remotely exploited to create a Denial of Service (DoS).

Vulnerable:
HP StorageWorks 1/8 G2 Tape Autoloader firmware v 2.30 and earlier
HP StorageWorks MSL2024 Tape Library firmware v 4.20 and earlier
HP StorageWorks MSL4048 Tape Library firmware v 6.50 and earlier
HP StorageWorks MSL8096 Tape Library firmware v 8.90 and earlier

Solution:
The vendor has released  firmware updates to resolve the vulnerability.  They can be found below:

http://www.hp.com/support/storage

DOE-CIRC wishes to acknowledge the contributions of HP for the information contained in this bulletin.

DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at:

    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov

UCRL-MI-119788