CVE-2022-28620
📋 TL;DR
This CVE describes a remote authentication bypass vulnerability in HPE Cray supercomputing systems that allows attackers to bypass authentication mechanisms without valid credentials. It affects HPE Cray Legacy Shasta System Solutions, HPE Slingshot, and HPE Cray EX supercomputers with specific firmware versions. Organizations using these HPE supercomputing systems are at risk.
💻 Affected Systems
- HPE Cray Legacy Shasta System Solutions
- HPE Slingshot
- HPE Cray EX Supercomputers
📦 What is this software?
Cray Sh Supercomputer Air Cooled Base System Code Firmware by Hpe
View all CVEs affecting Cray Sh Supercomputer Air Cooled Base System Code Firmware →
Cray Sh Supercomputer Air Cooled Base System Code Firmware by Hpe
View all CVEs affecting Cray Sh Supercomputer Air Cooled Base System Code Firmware →
Cray Sh Supercomputer Air Cooled Base System Code Firmware by Hpe
View all CVEs affecting Cray Sh Supercomputer Air Cooled Base System Code Firmware →
Cray Sh Supercomputer Liquid Cooled Base System Code Firmware by Hpe
View all CVEs affecting Cray Sh Supercomputer Liquid Cooled Base System Code Firmware →
Cray Sh Supercomputer Liquid Cooled Base System Code Firmware by Hpe
View all CVEs affecting Cray Sh Supercomputer Liquid Cooled Base System Code Firmware →
Cray Sh Supercomputer Liquid Cooled Base System Code Firmware by Hpe
View all CVEs affecting Cray Sh Supercomputer Liquid Cooled Base System Code Firmware →
Cray Sh Supercomputer Liquid Cooled Tds Base System Code Firmware by Hpe
View all CVEs affecting Cray Sh Supercomputer Liquid Cooled Tds Base System Code Firmware →
Cray Sh Supercomputer Liquid Cooled Tds Base System Code Firmware by Hpe
View all CVEs affecting Cray Sh Supercomputer Liquid Cooled Tds Base System Code Firmware →
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of supercomputing infrastructure allowing unauthorized access to sensitive computational resources, potential data exfiltration, and disruption of critical research or operational workloads.
Likely Case
Unauthorized access to system management interfaces leading to privilege escalation, configuration changes, and potential lateral movement within the supercomputing environment.
If Mitigated
Limited impact due to network segmentation, strict access controls, and monitoring that detects authentication anomalies before exploitation occurs.
🎯 Exploit Status
The vulnerability allows remote authentication bypass, suggesting relatively straightforward exploitation once the attack vector is understood. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Node controller firmware: 1.6.27/1.5.33/1.4.27 or later; Chassis controller firmware: 1.6.27/1.5.33/1.4.27 or later; Slingshot: 1.7.2 or later
Vendor Advisory: https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbcr04284en_us
Restart Required: Yes
Instructions:
1. Download the updated firmware from HPE support portal. 2. Follow HPE's firmware update procedures for Cray systems. 3. Apply firmware updates to affected node controllers and chassis controllers. 4. Apply Slingshot update to version 1.7.2 or later. 5. Reboot affected systems as required by the update process.
🔧 Temporary Workarounds
Network Segmentation
allIsolate management interfaces from untrusted networks and implement strict network access controls
Access Control Lists
allImplement IP-based restrictions to limit access to management interfaces to authorized administrative networks only
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from untrusted networks
- Deploy additional authentication layers and monitoring for authentication attempts on affected interfaces
🔍 How to Verify
Check if Vulnerable:
Check firmware versions on HPE Cray EX liquid cooled blades (node controller) and cabinets (chassis controller), and Slingshot software versionCheck Version:
Use HPE Cray system management tools to query firmware versions (specific commands vary by system configuration)Verify Fix Applied:
Verify firmware versions are at or above: Node controller: 1.6.27/1.5.33/1.4.27; Chassis controller: 1.6.27/1.5.33/1.4.27; Slingshot: 1.7.2📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful access
- Authentication logs showing access from unexpected sources
- Configuration changes without proper authentication records
Network Indicators:
- Unauthorized access attempts to management interfaces
- Traffic to management ports from unexpected sources
SIEM Query:
Authentication logs where source IP not in allowed administrative range AND result=success