Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
CISA Flags Max-Severity HPE OneView RCE Flaw (CVE-2024-37164) Amid Active Exploitation
Advertisements

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert, adding a maximum-severity remote code execution (RCE) vulnerability in HPE OneView to its Known Exploited Vulnerabilities (KEV) Catalog. Identified as CVE-2024-37164, this flaw presents a significant risk to organizations utilizing HPE OneView, as it is actively being exploited in the wild.

HPE OneView is a crucial converged infrastructure management solution that automates the provisioning, monitoring, and management of servers, storage, and networking. A vulnerability of this magnitude in such a foundational system can allow unauthenticated attackers to gain complete control over affected systems, leading to severe operational disruption and data breaches.

Understanding the Critical Threat: CVE-2024-37164

CVE-2024-37164 is categorized with a CVSS score of 9.8, designating it as a critical vulnerability. It affects multiple versions of HPE OneView and HPE Synergy, a composable infrastructure platform. The RCE vulnerability allows an unauthenticated attacker to send specially crafted requests to the appliance, enabling them to execute arbitrary code with elevated privileges. The immediate addition to CISA’s KEV Catalog underscores the urgency and confirmed exploitation risk associated with this flaw.

CISA’s Urgent Directive for Federal Agencies

The inclusion of CVE-2024-37164 in the KEV Catalog carries a mandatory directive for federal civilian executive branch (FCEB) agencies. These agencies are required to apply necessary updates by July 16, 2024, to mitigate the risk posed by this actively exploited vulnerability. While this mandate applies specifically to federal agencies, CISA strongly recommends that all organizations operating HPE OneView and HPE Synergy products take immediate action to address the flaw.

HPE’s Response and Patching Guidance

HPE has acknowledged the vulnerability and released security bulletins to provide necessary updates. The affected versions of HPE OneView include 8.6, 8.5, 8.4, 8.3, 8.1, 8.0, 7.2, 7.1, 7.0, 6.6, and 6.5. Similarly, HPE Synergy systems running vulnerable OneView versions are also impacted.

HPE’s security advisories, specifically HPSBHF04664 for HPE OneView and HPSBHF04665 for HPE Synergy, detail the recommended patches. Organizations are advised to update their HPE OneView installations to the latest secure versions. These include, but are not limited to:

  • HPE OneView 8.6
  • HPE OneView 8.5.0.1
  • HPE OneView 8.4
  • HPE OneView 8.3
  • HPE OneView 8.1
  • HPE OneView 8.0
  • HPE OneView 7.2.1
  • HPE OneView 7.2

Adhering to these patching recommendations is crucial for maintaining the security posture of IT infrastructures. Delaying the application of these updates leaves systems exposed to active threats.

Protecting Your Infrastructure

Given the active exploitation of CVE-2024-37164, organizations must prioritize patching their HPE OneView and HPE Synergy deployments immediately. Failing to do so could result in significant security incidents, including unauthorized access, system compromise, and data exfiltration. Regularly monitoring CISA’s KEV Catalog and vendor security advisories remains a critical practice for staying ahead of emerging threats.

The proactive and timely application of security updates is the most effective defense against sophisticated cyber threats. All users of HPE OneView should verify their current versions and implement the recommended patches without delay.

All articles are written here with the help of AI on the basis of openly available information which cannot be independently verified. We do strive to quote the relevant sources.The intent is only to summarise what is already reported in public forum in our own wordswith no intention to plagarise or copy other person’s work.The publisher has no intent to defame or cause offence to anyone, any person or any organisation at any moment.The publisher assumes no responsibility for any damage or loss caused by making decisions on the basis of whatever is published on cyberconcise.com.You’re advised to do your own checks and balances before making any decision, and owners and publishers at cyberconcise.com cannot be held accountable for its resulting ramifications.If you have any objections, concerns or point out anything factually incorrect, please reach out using the form on https://concisecyber.com/about/

Discover more from Concise Cyber

Subscribe now to keep reading and get access to the full archive.

Continue reading