CVE-2019-12002
📋 TL;DR
This CVE describes a remote session reuse vulnerability in multiple HPE MSA SAN Storage models that allows attackers to bypass access restrictions. Attackers can reuse valid sessions to gain unauthorized access to storage systems. Affected organizations are those running vulnerable versions of HPE MSA 1040, 1050, 2040, 2042, 2050, and 2052 SAN Storage systems.
💻 Affected Systems
- HPE MSA 2040 SAN Storage
- HPE MSA 1040 SAN Storage
- HPE MSA 1050 SAN Storage
- HPE MSA 2042 SAN Storage
- HPE MSA 2050 SAN Storage
- HPE MSA 2052 SAN Storage
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of SAN storage systems leading to data theft, destruction, or ransomware deployment across connected infrastructure.
Likely Case
Unauthorized access to storage management interfaces allowing configuration changes, data access, or denial of service.
If Mitigated
Limited impact if systems are isolated, patched, and monitored with proper access controls.
🎯 Exploit Status
Requires initial session establishment but then allows session reuse for unauthorized access. Attack complexity is low once initial access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after GL225P001, VE270R001-01, and VL270R001-01
Vendor Advisory: https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03940en_us
Restart Required: Yes
Instructions:
1. Download latest firmware from HPE Support Portal. 2. Backup current configuration. 3. Apply firmware update following HPE MSA firmware update procedures. 4. Reboot storage system. 5. Verify firmware version after update.
🔧 Temporary Workarounds
Network Segmentation
allIsolate SAN storage management interfaces from untrusted networks
Session Timeout Reduction
allConfigure shorter session timeout values if supported by firmware
🧯 If You Can't Patch
- Implement strict network access controls to limit SAN management interface access to authorized IPs only
- Monitor for unusual authentication patterns and session reuse attempts in logs
🔍 How to Verify
Check if Vulnerable:
Check firmware version via SAN management interface or CLI. Compare against affected versions: GL225P001 and earlier, VE270R001-01 and earlier, VL270R001-01 and earlier.Check Version:
Check via SAN management web interface or use 'show version' command in SAN CLIVerify Fix Applied:
Verify firmware version is updated beyond vulnerable versions listed in advisory.📡 Detection & Monitoring
Log Indicators:
- Multiple sessions from same source with different credentials
- Session reuse patterns
- Unauthorized access attempts to storage management
Network Indicators:
- Unusual traffic patterns to SAN management ports
- Multiple authentication attempts from same source
SIEM Query:
source="san_logs" AND (event_type="session_reuse" OR auth_failure_count>5)