HP Insight Diagnostics flaws discovered

HP's server management software, HP Insight Diagnostics, has multiple vulnerabilities lurking in the application. Each of the flaws, combined, allow an attacker to execute arbitrary PHP code with administrative rights on the server. So far, there is no patch.

Identified as CVE-2013-3573, CVE-2013-3574 and CVE-2013-3575, the vulnerabilities exist in version 9.4.0.4710 and possibly earlier versions. The holes were found by Markus Wulftange from Daimler TSS who recorded and reported the flaws to the vendor. A remote attacker needs only to be authenticated for the combined vulnerabilities to be exploitable.

With no fix available, the US-CERT advises users to follow good security practice and to restrict network access and only allow connections from trusted hosts and networks.