Re: hpsmh heartbleed (3694 Views)
Reply
Occasional Contributor
Alwin Warringa
Posts: 3
Registered: ‎12-15-2009
Message 1 of 22 (6,507 Views)

hpsmh heartbleed

[ Edited ]

Hi,

 

We discovered that hpsmh (version 7.2.2-8) is vurnerable for the OpenSSL Heartbleed problem on tcp port 2381, when will HP fix this issue? Is it possible to manual patch the embedded openssl?

 

Alwin.

 

 

P.S. This trhead has been moevd from ProLiant Servers (ML,DL,SL) to ITRC HP Systems Insight Manager Forum. - Hp forum moderator

 

Valued Contributor
SwisspostIT
Posts: 181
Registered: ‎02-20-2012
Message 2 of 22 (6,422 Views)

Re: hpsmh heartbleed

Hello,

 

this would interest me too!

 

I've read in the Revision history of SMH for Windows, that the last update to openSSL was with HP SMH version 7.3.0.9 in which OpenSSL got updated to version 1.0.1e.

According to the OpenSSL Security Advisory (https://www.openssl.org/news/secadv_20140407.txt) the "heartbleed" is fixed in version 1.0.1g.

 

HP can you please provide us information about a release of a fixed HP SMH?

 

Thank you!

Valued Contributor
SwisspostIT
Posts: 181
Registered: ‎02-20-2012
Message 3 of 22 (6,391 Views)

Re: hpsmh heartbleed

They released a security bulletin now which is available here: http://alerts.hp.com/r?2.1.3KT.2ZR.11MyKG.KUeOn0..N.ewLY.8RKW.bW89MQ%5f%5fDCTOFQR0

 

(No information yet about a release of a fixed version)

Occasional Visitor
beermaster
Posts: 1
Registered: ‎04-15-2014
Message 4 of 22 (6,121 Views)

Re: hpsmh heartbleed

[ Edited ]

I was able to patch the service with a non-vulnerable openssl obtained from Red Hat rpms:

 

openssl-1.0.1e-16.el6_5.7.x86_64.rpm

openssl-devel-1.0.1e-16.el6_5.7.x86_64.rpm

 

It is necessary to extract the binary, libraries and creating the necessary symlinks:

 

/opt/hp/hpsmh # ll bin/openssl

-rwxr-xr-x 1 czkccz adminux 521472 Apr 15 10:00 bin/openssl

 

/opt/hp/hpsmh # ll lib/libssl.so*

lrwxrwxrwx 1 root   root        16 Apr 15 10:06 lib/libssl.so -> libssl.so.1.0.1e

lrwxrwxrwx 1 root   root        16 Apr 15 10:06 lib/libssl.so.1.0.0 -> libssl.so.1.0.1e

-rwxr-xr-x 1 czkccz adminux 441112 Apr 15 10:01 lib/libssl.so.1.0.1e

 

/opt/hp/hpsmh # ll lib/libcrypto.so*

lrwxrwxrwx 1 root   root         19 Apr 15 10:09 lib/libcrypto.so -> libcrypto.so.1.0.1e

lrwxrwxrwx 1 root   root         19 Apr 15 10:09 lib/libcrypto.so.1.0.0 -> libcrypto.so.1.0.1e

-rwxr-xr-x 1 czkccz adminux 1950976 Apr 15 10:08 lib/libcrypto.so.1.0.1e

lrwxrwxrwx 1 root   root         19 Apr 15 10:10 lib/libcrypto.so.10 -> libcrypto.so.1.0.1e

/opt/hp/hpsmh #

 

 

I ran the script (https://github.com/noxxi/p5-scripts/blob/master/check-ssl-heartbleed.pl) to check and indicated that it is no longer vulnerable.

 

# /etc/init.d/hpsmhd start

Starting hpsmhd ..                                                                                                                          done

# ./ssl-hearbleed-check.pl -s 127.0.0.1:2381

...ssl received type=22 ver=0x301 ht=0x2 size=77

...ssl received type=22 ver=0x301 ht=0xb size=968

...ssl received type=22 ver=0x301 ht=0xe size=0

...send heartbeat#1

no reply - probably not vulnerable

#

 

I hope it will be useful, while a new hpsmh version is released.

 

Regards

 

Sergio Ramirez

GNU/Linux Team

HP Enterprise Services México 

--
Sergio Manuel Ramirez Martinez
GNU/Linux Team
HP Enterprise Services México
Occasional Visitor
AUS-1032
Posts: 1
Registered: ‎04-15-2014
Message 5 of 22 (6,040 Views)

Re: hpsmh heartbleed

Do we have any procedure for windows systems?

Trusted Contributor
Andrew_Haak
Posts: 413
Registered: ‎09-13-2013
Message 7 of 22 (5,637 Views)

Re: hpsmh heartbleed

Hello people,

 

I've updated the SMH for a Windows 2008 R2 server to the new version 7.3.2.1.

Now i get a timeout on the System Management homepage. I used the VCA 7.2.0.0 and this version becomes unresponsive with the new SMH. I had to update to the latest VCA. That version has the bug that you can't update the Diskfirmware. HP advised me to uninstall the VCA since HPSUm is the new way to update instead of VCA. So HP is leaving VCA. So i've just posteded this message to let you all know.

 

Kind regards,

 

Andrew Haak

Kind regards,

Andrew
Valued Contributor
SwisspostIT
Posts: 181
Registered: ‎02-20-2012
Message 8 of 22 (5,023 Views)

Re: hpsmh heartbleed

Hi Andrew,

 

thanks for your information!

Are you aware of any other bugs from the newest VCA except the harddisk firmware issue?

We'd like to have it installed anyway on the systems, so you have a overview of installed firmware/driver/software on one page... (unless we'll have rolled out HPSUM on every system)

 

Thanks and regards,

Ville

Occasional Visitor
mikj
Posts: 1
Registered: ‎04-23-2014
Message 9 of 22 (4,898 Views)

Re: hpsmh heartbleed

Please be aware that the 32 bit Windows 7.3.2.1 version of the patch breaks the HP smh, the service starts but is not listening on 2381

 

smhstart_err.log show it cannot load the php5apache2.so module

Occasional Advisor
sungminjin
Posts: 11
Registered: ‎12-06-2013
Message 10 of 22 (4,840 Views)

Re: hpsmh heartbleed

mikj , I think I installed this on a 32bit windows 7.3.2.1 version and now when I try to open up  https://localhost:2381   i get a page can not be displayed ...  are you having same issue as me ?

I installed this on my windows 2003 standard version.

 

thanks.

Regular Advisor
Sean Murray_1
Posts: 233
Registered: ‎01-26-2004
Message 11 of 22 (4,817 Views)

Re: hpsmh heartbleed

Yes, the new(er) versions seems to break SMH and will not load.

 

I stayed on 7.2.2.9 for that reason alone.

Except for 2008 R2, if I install it on 2003 x32 or x64, the SMH page no longer loads.

 

Rather frustrating.

Moderator
RASHMI
Posts: 4,415
Registered: ‎05-20-2004
Message 12 of 22 (4,744 Views)

Re: hpsmh heartbleed

Hello: To All,

 

HP is committed to delivering secure systems that effectively manage our invaluable customer and employee data. Therefore we kindly request you to reach out to our Software Security Response Team (SSRT).

 

Kindly find the given below "Report a potential security vulnerability to HP" link, If any claims you people have been impacted and/or have details where you can share with HP -

https://h41268.www4.hp.com/live/index.aspx?qid=11503

 

 

 

Thanks,
Rashmi
Forum Moderator
Regular Advisor
David Orwig
Posts: 105
Registered: ‎04-13-2004
Message 13 of 22 (4,623 Views)

Re: hpsmh heartbleed

Rashmi, we know what the vulnerability is... and so does HP. We just want a fix that works on our 32 bit (x86) operating systems!

Honored Contributor
Nelson Kaeppel
Posts: 951
Registered: ‎03-12-2003
Message 14 of 22 (4,485 Views)

Re: hpsmh heartbleed

I am in the same boat - Windows 2003 servers that cannot run the latest SMH.  I am wondering if there is an older version of SMH that is free of the Heartbleed bug and also works with Windows 2003?  In other words, how long has Heartbleed been a problem?  Has it just shown up in the last few versions, and earlier version are OK?  If so, what is the last version of SMH that had a version of OpenSSL free from Heartbleed problems?  That is the version I would need to install since the lastest version - which fixes Heartbleed - is not supported on Windows 2003.

 

Thanks

NK

Frequent Advisor
Steve Weeks_1
Posts: 47
Registered: ‎12-13-2006
Message 15 of 22 (4,236 Views)

Re: hpsmh heartbleed

You need something like this below. All will then work for 2003 servers.

 

2008 servers work ok with 7.3.2.1

 

CLS
set repos=\\server\mydomain.com\d$\Win2003_SHMfix

Echo Replacing php5apache2.so and php5ts.dll
Echo From: %repos%\%PROCESSOR_ARCHITECTURE%
Echo To : %systemDrive%\hp\hpsmh\modules
Echo For %PROCESSOR_ARCHITECTURE% type OS

net stop "HP System Management Homepage" /Y
timeout 5 /nobreak >nul

copy %repos%\%PROCESSOR_ARCHITECTURE% %systemDrive%\hp\hpsmh\modules /Y

set repos=
net Start "HP System Management Homepage" /Y
echo Finsihed

Occasional Visitor
The_Stig
Posts: 1
Registered: ‎04-29-2014
Message 16 of 22 (4,181 Views)

Re: hpsmh heartbleed

Yes please lets see a fix. I created an account just to leave this comment, thats how much i'd love a fix =) It's disconcerting that HP mentions that this is addressed and fixed already for x86 and x64 when the proof is in the pudding regarding the drop of PHP5 code suppport.

Rashmi, can you put HP SSRT in contact with this thread and notice the 2300+ unique views on it?
Trusted Contributor
pkrai
Posts: 201
Registered: ‎03-02-2006
Message 17 of 22 (4,041 Views)

Re: hpsmh heartbleed

Two new versions of SMH are available, which provides fix for this vulnerability:

 

SMH 7.3.2

SMH 7.2.3

Upgrade_path.jpg

Trusted Contributor
pkrai
Posts: 201
Registered: ‎03-02-2006
Message 18 of 22 (4,023 Views)

Re: hpsmh heartbleed

Please find enclosed some more information around the same topic...

 

Thanks

Trusted Contributor
waaronb
Posts: 403
Registered: ‎10-26-2012
Message 19 of 22 (3,977 Views)

Re: hpsmh heartbleed

Let's say, for the sake of argument, that you absolutely cannot update to the latest version of SMH, VCA or VCRM.  All 3 of those have recently been updated to include OpenSSL 1.0.1g, but let's pretend you can't update for whatever reason (compatibility concerns, effort involved, etc.

 

You could, if you want, simply download OpenSSL 1.0.1g for your OS and update the files yourself.  I don't have any physical boxes running Linux so I won't pretend to know about that, but someone already mentioned how a few posts up.

 

For Windows, you download a compiled version and you should have a couple of DLL's to focus on:

ssleay32.dll

libeay32.dll

 

If you're having trouble finding compiled versions of those DLL's, well hey, just extract the contents of the latest VCA, VCRM or SMH and they're inside there, both 32 and 64 bit versions.

 

On your Windows machine, under C:\HP you'll find multiple locations where those files exist, depending on what all you have installed.  On my machine which has SMH, VCA *and* VCRM installed, there are 4 spots where both files live:

 

C:\hp\hpsmh\bin\libeay32.dll
C:\hp\hpsmh\bin\ssleay32.dll
C:\hp\hpsmh\data\cgi-bin\vcagent\libeay32.dll
C:\hp\hpsmh\data\cgi-bin\vcagent\ssleay32.dll
C:\hp\hpsmh\data\cgi-bin\vcrepository\libeay32.dll
C:\hp\hpsmh\data\cgi-bin\vcrepository\ssleay32.dll
C:\hp\hpsmh\modules\libeay32.dll
C:\hp\hpsmh\modules\ssleay32.dll

 

I can't quite figure out why, but the DLLs located in hpsmh\bin and hpsmh\modules are slightly different filesizes than the ones in vcagent and vcrepository... they're all 1.0.1g though, and the 64-bit version on my 64-bit Windows, but it's odd.  It's like HP compiled them differently.  I think it'd be safe to use the same one for all the spots though, but if you really want to be sure, extract the specific files from the specific HP software.

 

Anyway, copy over either the 32 or 64 bit version depending on what you're running.   You'll need to stop the services first of course.  If you use the files from inside the HP software, the 64-bit versions have "x64" in the filename, so just copy them over to the regular filename.

 

If none of this is making any sense, then you probably shouldn't be attempting something like this... just saying...

 

Oh, and if you're running HP SIM, there's no new version out yet, but it's running an older version of OpenSSL that isn't vulnerable.  I just checked, and my HP SIM 7.3 with the latest hotfixes only has version 0.9.8d.  Seems like HP SIM is safe only by it's extreme negligence in keeping it's SSL libraries up to date in the first place.  Could be worse I guess.

 

Of course your best bet is to install the latest HP software anyway because there's more fixes besides just OpenSSL, but if none of them apply to you and you're happy with the version you're on, this could be an easier way to go to secure things.  Just script something to stop those services remotely, copy the new files out where they belong, and restart.

 

Disclaimer: I have NOT tried this out myself, but when Heartbleed was first announced, I looked into doing this as a plan B in case HP dragged it's feet getting it patched properly.  If it doesn't work, keep those old DLL's handy and roll back if needed.

Honored Contributor
Nelson Kaeppel
Posts: 951
Registered: ‎03-12-2003
Message 20 of 22 (3,953 Views)

Re: hpsmh heartbleed

Thanks for the version list - that was vey helpful.

 

Does that mean if I have a server running a much version of the SMH, that I dont have to update it (to patch for Heartbleed)?  For example, if I have a server running this version:

 

HP System Management Homepage v3.0.1.73

 

and since this version is not on your list, it is not affected by Heartbleed (I am assuming it is using an older version OpenSSL that was not affected by Heartbleed)?  Or are pretty much ALL versions of SHM affected by Heartbleed except the two new versions you listed.

Thanks

NK

Valued Contributor
SwisspostIT
Posts: 181
Registered: ‎02-20-2012
Message 21 of 22 (3,906 Views)

Re: hpsmh heartbleed

Hey waaronb, thanks for your workaround!

 

Frequent Advisor
kkpro
Posts: 81
Registered: ‎01-26-2012
Message 22 of 22 (3,694 Views)

Re: hpsmh heartbleed

[ Edited ]

Will HP update SMH for Debian/Ubuntu ? Or is it updating OpenSSL enough ?

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.