CVE-2024-22442 (CVSS 9.8): HPE Patches Critical 3PAR Service Processor Flaw

Hewlett Packard Enterprise (HPE) has released a security update to address a critical vulnerability (CVE-2024-22442) in its 3PAR Service Processor software. This flaw could allow remote attackers to bypass authentication and gain unauthorized access to sensitive data within the connected storage systems.

The HPE 3PAR Service Processor is a crucial component in managing HPE 3PAR StoreServ Storage systems, responsible for collecting and transmitting data to HPE for monitoring and analysis. The identified vulnerability, CVE-2024-22442, rated with a CVSS score of 9.8 (Critical), highlights the potential for severe exploitation if left unpatched.

The issue stems from a security restriction bypass within the Service Processor software, which could enable attackers to circumvent authentication measures and gain control over the appliance. This could lead to data breaches, unauthorized modifications, and even disruption of storage operations.

HPE has acknowledged the security researcher Milad Fadavvi for reporting this critical issue.  HPE has responded swiftly by releasing a patched version of the Service Processor software, v5.1.2, urging all users to upgrade immediately. The update addresses the authentication bypass vulnerability and strengthens the overall security posture of the 3PAR Service Processor.

Organizations utilizing HPE 3PAR StoreServ Storage systems with Service Processor software versions 5.1.1 or earlier are strongly advised to prioritize the update to version 5.1.2. Failure to do so could leave their storage infrastructure vulnerable to unauthorized access and potential data compromise.