CVE-2022-37938
📋 TL;DR
CVE-2022-37938 is an unauthenticated server-side request forgery (SSRF) vulnerability in HPE Serviceguard Manager that allows attackers to make arbitrary HTTP requests from the vulnerable server. This can lead to internal network reconnaissance, data exfiltration, or chaining with other vulnerabilities. All organizations running affected versions of HPE Serviceguard Manager are vulnerable.
💻 Affected Systems
- HPE Serviceguard Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could pivot to internal systems, access sensitive data, or chain with other vulnerabilities to achieve remote code execution on the Serviceguard Manager server or internal systems.
Likely Case
Attackers would use the vulnerability to scan internal networks, access internal HTTP services, or exfiltrate data from internal systems reachable from the Serviceguard Manager server.
If Mitigated
With proper network segmentation and egress filtering, impact would be limited to internal reconnaissance of segmented network zones.
🎯 Exploit Status
The vulnerability requires no authentication and exploitation is straightforward via crafted HTTP requests. While no public PoC exists, the vulnerability is easily weaponizable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: HPE Serviceguard Manager 1.5.0 or later
Vendor Advisory: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbmu04452en_us
Restart Required: Yes
Instructions:
1. Download HPE Serviceguard Manager 1.5.0 or later from the HPE support portal. 2. Stop the Serviceguard Manager service. 3. Install the updated version following HPE's installation guide. 4. Restart the Serviceguard Manager service.
🔧 Temporary Workarounds
Network Segmentation and Firewall Rules
allRestrict outbound HTTP/HTTPS traffic from the Serviceguard Manager server to only necessary internal systems using firewall rules.
Access Control List
allImplement network ACLs to restrict access to the Serviceguard Manager web interface to trusted IP addresses only.
🧯 If You Can't Patch
- Isolate the Serviceguard Manager server in a dedicated network segment with strict egress filtering
- Implement web application firewall (WAF) rules to block SSRF patterns targeting the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check the Serviceguard Manager version via the web interface or by examining the installation directory. Versions prior to 1.5.0 are vulnerable.Check Version:
Check the web interface or consult HPE documentation for version verification commands specific to your installation.Verify Fix Applied:
Verify the installed version is 1.5.0 or later and test that SSRF attempts are blocked or properly handled.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from the Serviceguard Manager server
- HTTP requests to internal systems from the Serviceguard Manager IP
Network Indicators:
- HTTP traffic from Serviceguard Manager to unexpected internal destinations
- Patterns of SSRF exploitation in web server logs
SIEM Query:
source_ip="Serviceguard_Manager_IP" AND (dest_port=80 OR dest_port=443) AND dest_ip NOT IN [allowed_internal_ips]