CVE-2020-24624
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform directory traversal attacks via the DownloadServlet class in HPE Pay Per Use Utility Computing Service Meter. Attackers can read arbitrary files on the server, potentially exposing sensitive configuration data, credentials, or system files. Organizations using HPE PPU UCS Meter version 1.9 are affected.
💻 Affected Systems
- HPE Pay Per Use Utility Computing Service Meter
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through reading sensitive files like /etc/passwd, /etc/shadow, configuration files containing database credentials, or private keys, leading to lateral movement and data exfiltration.
Likely Case
Unauthorized access to sensitive configuration files, application credentials, or system information that could facilitate further attacks.
If Mitigated
Limited impact if proper network segmentation, file system permissions, and monitoring are in place to detect traversal attempts.
🎯 Exploit Status
Directory traversal vulnerabilities typically have low exploitation complexity, especially when unauthenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in references, consult HPE advisory
Vendor Advisory: https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04037en_us
Restart Required: Yes
Instructions:
1. Review HPE advisory HPEESBN04037. 2. Apply the recommended patch from HPE. 3. Restart the PPU UCS Meter service. 4. Verify the fix by testing directory traversal attempts.
🔧 Temporary Workarounds
Network Access Control
allRestrict network access to the PPU UCS Meter service to only trusted IP addresses or internal networks.
Web Application Firewall
allDeploy a WAF with rules to block directory traversal patterns (e.g., '../', '..\', encoded variants).
🧯 If You Can't Patch
- Isolate the system on a segmented network with strict firewall rules to limit access.
- Implement file system permissions to restrict the web server user from accessing sensitive directories.
🔍 How to Verify
Check if Vulnerable:
Attempt to access files via the DownloadServlet with traversal sequences (e.g., '../../etc/passwd') and check if they are returned.Check Version:
Check the application version via administrative interface or configuration files specific to HPE PPU UCS Meter.Verify Fix Applied:
After patching, repeat the traversal attempts; successful attempts should return errors or be blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../', '..\', or encoded traversal sequences to DownloadServlet endpoints
- Unusual file access patterns from web server logs
Network Indicators:
- HTTP traffic with traversal patterns in URLs or parameters
- Unexpected file downloads from the meter service
SIEM Query:
web.url:*../* AND (destination.port:80 OR destination.port:443) AND destination.ip:[METER_IP]