CVE-2023-30908: HPE OneView Remote Authentication Bypass Vulnerability

CVE-2023-30908

Hewlett Packard Enterprise (HPE) OneView is a software platform that helps IT organizations manage their data center infrastructure. However, three security vulnerabilities have been identified in HPE OneView software that could be exploited to allow authentication bypass, disclosure of sensitive information, and denial of service.

CVE-2023-30908

Remote Authentication Bypass Vulnerability (CVE-2023-30908)

With a CVSS score of 9.8, this vulnerability allows an attacker to bypass authentication and gain unauthorized access to HPE OneView. The vulnerability exists in the way that HPE OneView handles user credentials. An attacker could exploit this vulnerability by sending a specially crafted request to the HPE OneView server.

Kudos to Sina Kheirkhah (@SinSinology) of the Summoning Team (@SummoningTeam) in collaboration with Trend Micro Zero Day Initiative for highlighting the CVE-2023-30908 loophole.

OpenSSL Information Disclosure Vulnerability (CVE-2022-4304)

This vulnerability could allow a remote attacker to obtain sensitive information, such as encryption keys and passwords. The vulnerability exists in the way that OpenSSL handles RSA decryption. An attacker could exploit this vulnerability by sending a specially crafted request to the HPE OneView server.

OpenSSL Denial of Service Vulnerability (CVE-2022-4304)

This vulnerability could allow a remote attacker to cause a denial of service (DoS) attack against HPE OneView. The vulnerability exists in the way that OpenSSL handles the OBJ_obj2txt() function. An attacker could exploit this vulnerability by sending a specially crafted request to the HPE OneView server.

Affected Versions

The affected versions of HPE OneView are:

  • Prior to v8.5
  • Prior to the v6.60.05 patch

Unaffected Versions

The unaffected versions of HPE OneView are:

  • v8.5 or later
  • v6.60.05 LTS

Recommendations

HPE has released patches for the affected versions of HPE OneView. Users are advised to apply the patches as soon as possible to protect their systems from these vulnerabilities.