Multiple vulnerabilities in Certain HPE NonStop Products Using Certain Intel Processor BIOS



| Updated: 2023-05-01
Risk Low
Patch available YES
Number of vulnerabilities 11
CVE-ID CVE-2021-0154
CVE-2021-0153
CVE-2021-33123
CVE-2021-0190
CVE-2021-33122
CVE-2021-0189
CVE-2021-33124
CVE-2021-33103
CVE-2021-0159
CVE-2021-0188
CVE-2021-0155
CWE-ID CWE-20
CWE-787
CWE-284
CWE-248
CWE-691
CWE-823
CWE-441
CWE-466
CWE-252
Exploitation vector Local
Public exploit N/A
Vulnerable software
 HPE NonStop Virtual Tape Repository (VTR)
Hardware solutions / Other hardware appliances

HPE NonStop Virtual Tape Controller (VTC) Gen9
Hardware solutions / Other hardware appliances

HPE NonStop System Console (NSC) Gen9
Hardware solutions / Other hardware appliances

HPE NonStop Storage CLIM Gen9
Hardware solutions / Other hardware appliances

HPE NonStop Network CLIM Gen9
Hardware solutions / Other hardware appliances

HPE NonStop Virtual Tape Controller (VTC) Gen10
Hardware solutions / Other hardware appliances

HPE NonStop System Console (NSC) Gen10
Hardware solutions / Other hardware appliances

HPE NonStop Storage CLIM Gen10
Hardware solutions / Other hardware appliances

HPE NonStop Network CLIM Gen10
Hardware solutions / Other hardware appliances

HPE NonStop NS2 X2
Hardware solutions / Other hardware appliances

HPE NonStop NS2 X3
Hardware solutions / Other hardware appliances

HPE NonStop NS3 X2 CPU
Hardware solutions / Other hardware appliances

HPE NonStop NS7 X2 CPU
Hardware solutions / Other hardware appliances

HPE NonStop NS3 X3 CPU
Hardware solutions / Other hardware appliances

HPE NonStop NS7 X3 CPU
Hardware solutions / Other hardware appliances

HPE NonStop NS4 X4 CPU
Hardware solutions / Other hardware appliances

HPE NonStop NS8 X4 CPU
Hardware solutions / Other hardware appliances

Vendor HPE

Security Bulletin

This security bulletin contains information about 11 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU63081

Risk: Low

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-0154

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in the BIOS firmware. A local user can escalate privileges on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

HPE NonStop Virtual Tape Repository (VTR): before 2.66_05-17-2022

HPE NonStop Virtual Tape Controller (VTC) Gen9: before 2.96_05-17-2022

HPE NonStop System Console (NSC) Gen9: before 2.96_05-17-2022

HPE NonStop Storage CLIM Gen9: before 2.96_05-17-2022

HPE NonStop Network CLIM Gen9: before 2.96_05-17-2022

HPE NonStop Virtual Tape Controller (VTC) Gen10: before 2.66_05-17-2022

HPE NonStop System Console (NSC) Gen10: before 2.66_05-17-2022

HPE NonStop Storage CLIM Gen10: before 2.66_05-17-2022

HPE NonStop Network CLIM Gen10: before 2.66_05-17-2022

HPE NonStop NS2 X2: before 2.96_05-17-2022

HPE NonStop NS2 X3: before 2.66_05-17-2022

HPE NonStop NS3 X2 CPU: before 2.96_05-17-2022

HPE NonStop NS7 X2 CPU: before 2.96_05-17-2022

HPE NonStop NS3 X3 CPU: before 2.66_06-01-2022

HPE NonStop NS7 X3 CPU: before 2.66_06-01-2022

HPE NonStop NS4 X4 CPU: before 2.66_05-17-2022

HPE NonStop NS8 X4 CPU: before 2.66_05-17-2022

CPE2.3 External links

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbns04337en_us


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Out-of-bounds write

EUVDB-ID: #VU63082

Risk: Low

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-0153

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in the BIOS firmware. A local user can  run a specially crafted program to trigger an out-of-bounds write and execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

HPE NonStop Virtual Tape Repository (VTR): before 2.66_05-17-2022

HPE NonStop Virtual Tape Controller (VTC) Gen9: before 2.96_05-17-2022

HPE NonStop System Console (NSC) Gen9: before 2.96_05-17-2022

HPE NonStop Storage CLIM Gen9: before 2.96_05-17-2022

HPE NonStop Network CLIM Gen9: before 2.96_05-17-2022

HPE NonStop Virtual Tape Controller (VTC) Gen10: before 2.66_05-17-2022

HPE NonStop System Console (NSC) Gen10: before 2.66_05-17-2022

HPE NonStop Storage CLIM Gen10: before 2.66_05-17-2022

HPE NonStop Network CLIM Gen10: before 2.66_05-17-2022

HPE NonStop NS2 X2: before 2.96_05-17-2022

HPE NonStop NS2 X3: before 2.66_05-17-2022

HPE NonStop NS3 X2 CPU: before 2.96_05-17-2022

HPE NonStop NS7 X2 CPU: before 2.96_05-17-2022

HPE NonStop NS3 X3 CPU: before 2.66_06-01-2022

HPE NonStop NS7 X3 CPU: before 2.66_06-01-2022

HPE NonStop NS4 X4 CPU: before 2.66_05-17-2022

HPE NonStop NS8 X4 CPU: before 2.66_05-17-2022

CPE2.3 External links

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbns04337en_us


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper access control

EUVDB-ID: #VU63083

Risk: Low

CVSSv4.0: 5.6 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-33123

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system

The vulnerability exists due to improper access restrictions in the BIOS authenticated code module. A local user can obtain elevated privileges on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

HPE NonStop Virtual Tape Repository (VTR): before 2.66_05-17-2022

HPE NonStop Virtual Tape Controller (VTC) Gen9: before 2.96_05-17-2022

HPE NonStop System Console (NSC) Gen9: before 2.96_05-17-2022

HPE NonStop Storage CLIM Gen9: before 2.96_05-17-2022

HPE NonStop Network CLIM Gen9: before 2.96_05-17-2022

HPE NonStop Virtual Tape Controller (VTC) Gen10: before 2.66_05-17-2022

HPE NonStop System Console (NSC) Gen10: before 2.66_05-17-2022

HPE NonStop Storage CLIM Gen10: before 2.66_05-17-2022

HPE NonStop Network CLIM Gen10: before 2.66_05-17-2022

HPE NonStop NS2 X2: before 2.96_05-17-2022

HPE NonStop NS2 X3: before 2.66_05-17-2022

HPE NonStop NS3 X2 CPU: before 2.96_05-17-2022

HPE NonStop NS7 X2 CPU: before 2.96_05-17-2022

HPE NonStop NS3 X3 CPU: before 2.66_06-01-2022

HPE NonStop NS7 X3 CPU: before 2.66_06-01-2022

HPE NonStop NS4 X4 CPU: before 2.66_05-17-2022

HPE NonStop NS8 X4 CPU: before 2.66_05-17-2022

CPE2.3 External links

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbns04337en_us


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Uncaught Exception

EUVDB-ID: #VU63099

Risk: Low

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-0190

CWE-ID: CWE-248 - Uncaught Exception

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to uncaught exception in the BIOS firmware. A local user can run a specially crafted program to execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

HPE NonStop Virtual Tape Repository (VTR): before 2.66_05-17-2022

HPE NonStop Virtual Tape Controller (VTC) Gen9: before 2.96_05-17-2022

HPE NonStop System Console (NSC) Gen9: before 2.96_05-17-2022

HPE NonStop Storage CLIM Gen9: before 2.96_05-17-2022

HPE NonStop Network CLIM Gen9: before 2.96_05-17-2022

HPE NonStop Virtual Tape Controller (VTC) Gen10: before 2.66_05-17-2022

HPE NonStop System Console (NSC) Gen10: before 2.66_05-17-2022

HPE NonStop Storage CLIM Gen10: before 2.66_05-17-2022

HPE NonStop Network CLIM Gen10: before 2.66_05-17-2022

HPE NonStop NS2 X2: before 2.96_05-17-2022

HPE NonStop NS2 X3: before 2.66_05-17-2022

HPE NonStop NS3 X2 CPU: before 2.96_05-17-2022

HPE NonStop NS7 X2 CPU: before 2.96_05-17-2022

HPE NonStop NS3 X3 CPU: before 2.66_06-01-2022

HPE NonStop NS7 X3 CPU: before 2.66_06-01-2022

HPE NonStop NS4 X4 CPU: before 2.66_05-17-2022

HPE NonStop NS8 X4 CPU: before 2.66_05-17-2022

CPE2.3 External links

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbns04337en_us


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Insufficient Control Flow Management

EUVDB-ID: #VU63175

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-33122

CWE-ID: CWE-691 - Insufficient Control Flow Management

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient control flow management in the BIOS firmware. A local user can run a specially crafted program to execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

HPE NonStop Virtual Tape Repository (VTR): before 2.66_05-17-2022

HPE NonStop Virtual Tape Controller (VTC) Gen9: before 2.96_05-17-2022

HPE NonStop System Console (NSC) Gen9: before 2.96_05-17-2022

HPE NonStop Storage CLIM Gen9: before 2.96_05-17-2022

HPE NonStop Network CLIM Gen9: before 2.96_05-17-2022

HPE NonStop Virtual Tape Controller (VTC) Gen10: before 2.66_05-17-2022

HPE NonStop System Console (NSC) Gen10: before 2.66_05-17-2022

HPE NonStop Storage CLIM Gen10: before 2.66_05-17-2022

HPE NonStop Network CLIM Gen10: before 2.66_05-17-2022

HPE NonStop NS2 X2: before 2.96_05-17-2022

HPE NonStop NS2 X3: before 2.66_05-17-2022

HPE NonStop NS3 X2 CPU: before 2.96_05-17-2022

HPE NonStop NS7 X2 CPU: before 2.96_05-17-2022

HPE NonStop NS3 X3 CPU: before 2.66_06-01-2022

HPE NonStop NS7 X3 CPU: before 2.66_06-01-2022

HPE NonStop NS4 X4 CPU: before 2.66_05-17-2022

HPE NonStop NS8 X4 CPU: before 2.66_05-17-2022

CPE2.3 External links

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbns04337en_us


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Use of Out-of-range Pointer Offset

EUVDB-ID: #VU63176

Risk: Low

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-0189

CWE-ID: CWE-823 - Use of Out-of-range Pointer Offset

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to use of out-of-range pointer offset in the BIOS firmware. A local user can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

HPE NonStop Virtual Tape Repository (VTR): before 2.66_05-17-2022

HPE NonStop Virtual Tape Controller (VTC) Gen9: before 2.96_05-17-2022

HPE NonStop System Console (NSC) Gen9: before 2.96_05-17-2022

HPE NonStop Storage CLIM Gen9: before 2.96_05-17-2022

HPE NonStop Network CLIM Gen9: before 2.96_05-17-2022

HPE NonStop Virtual Tape Controller (VTC) Gen10: before 2.66_05-17-2022

HPE NonStop System Console (NSC) Gen10: before 2.66_05-17-2022

HPE NonStop Storage CLIM Gen10: before 2.66_05-17-2022

HPE NonStop Network CLIM Gen10: before 2.66_05-17-2022

HPE NonStop NS2 X2: before 2.96_05-17-2022

HPE NonStop NS2 X3: before 2.66_05-17-2022

HPE NonStop NS3 X2 CPU: before 2.96_05-17-2022

HPE NonStop NS7 X2 CPU: before 2.96_05-17-2022

HPE NonStop NS3 X3 CPU: before 2.66_06-01-2022

HPE NonStop NS7 X3 CPU: before 2.66_06-01-2022

HPE NonStop NS4 X4 CPU: before 2.66_05-17-2022

HPE NonStop NS8 X4 CPU: before 2.66_05-17-2022

CPE2.3 External links

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbns04337en_us


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Out-of-bounds write

EUVDB-ID: #VU63177

Risk: Low

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-33124

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in the BIOS authenticated code module. A local user can run a specially crafted program to trigger an out-of-bounds write error and execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

HPE NonStop Virtual Tape Repository (VTR): before 2.66_05-17-2022

HPE NonStop Virtual Tape Controller (VTC) Gen9: before 2.96_05-17-2022

HPE NonStop System Console (NSC) Gen9: before 2.96_05-17-2022

HPE NonStop Storage CLIM Gen9: before 2.96_05-17-2022

HPE NonStop Network CLIM Gen9: before 2.96_05-17-2022

HPE NonStop Virtual Tape Controller (VTC) Gen10: before 2.66_05-17-2022

HPE NonStop System Console (NSC) Gen10: before 2.66_05-17-2022

HPE NonStop Storage CLIM Gen10: before 2.66_05-17-2022

HPE NonStop Network CLIM Gen10: before 2.66_05-17-2022

HPE NonStop NS2 X2: before 2.96_05-17-2022

HPE NonStop NS2 X3: before 2.66_05-17-2022

HPE NonStop NS3 X2 CPU: before 2.96_05-17-2022

HPE NonStop NS7 X2 CPU: before 2.96_05-17-2022

HPE NonStop NS3 X3 CPU: before 2.66_06-01-2022

HPE NonStop NS7 X3 CPU: before 2.66_06-01-2022

HPE NonStop NS4 X4 CPU: before 2.66_05-17-2022

HPE NonStop NS8 X4 CPU: before 2.66_05-17-2022

CPE2.3 External links

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbns04337en_us


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Unintended proxy or intermediary

EUVDB-ID: #VU63178

Risk: Low

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-33103

CWE-ID: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to presence of an unintended proxy in the BIOS authenticated code module. A local user can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

HPE NonStop Virtual Tape Repository (VTR): before 2.66_05-17-2022

HPE NonStop Virtual Tape Controller (VTC) Gen9: before 2.96_05-17-2022

HPE NonStop System Console (NSC) Gen9: before 2.96_05-17-2022

HPE NonStop Storage CLIM Gen9: before 2.96_05-17-2022

HPE NonStop Network CLIM Gen9: before 2.96_05-17-2022

HPE NonStop Virtual Tape Controller (VTC) Gen10: before 2.66_05-17-2022

HPE NonStop System Console (NSC) Gen10: before 2.66_05-17-2022

HPE NonStop Storage CLIM Gen10: before 2.66_05-17-2022

HPE NonStop Network CLIM Gen10: before 2.66_05-17-2022

HPE NonStop NS2 X2: before 2.96_05-17-2022

HPE NonStop NS2 X3: before 2.66_05-17-2022

HPE NonStop NS3 X2 CPU: before 2.96_05-17-2022

HPE NonStop NS7 X2 CPU: before 2.96_05-17-2022

HPE NonStop NS3 X3 CPU: before 2.66_06-01-2022

HPE NonStop NS7 X3 CPU: before 2.66_06-01-2022

HPE NonStop NS4 X4 CPU: before 2.66_05-17-2022

HPE NonStop NS8 X4 CPU: before 2.66_05-17-2022

CPE2.3 External links

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbns04337en_us


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Input validation error

EUVDB-ID: #VU63179

Risk: Low

CVSSv4.0: 3.8 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-0159

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in the BIOS authenticated code module. A local user can pass specially crafted data to the affected module and execute arbitrary code on the system with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

HPE NonStop Virtual Tape Repository (VTR): before 2.66_05-17-2022

HPE NonStop Virtual Tape Controller (VTC) Gen9: before 2.96_05-17-2022

HPE NonStop System Console (NSC) Gen9: before 2.96_05-17-2022

HPE NonStop Storage CLIM Gen9: before 2.96_05-17-2022

HPE NonStop Network CLIM Gen9: before 2.96_05-17-2022

HPE NonStop Virtual Tape Controller (VTC) Gen10: before 2.66_05-17-2022

HPE NonStop System Console (NSC) Gen10: before 2.66_05-17-2022

HPE NonStop Storage CLIM Gen10: before 2.66_05-17-2022

HPE NonStop Network CLIM Gen10: before 2.66_05-17-2022

HPE NonStop NS2 X2: before 2.96_05-17-2022

HPE NonStop NS2 X3: before 2.66_05-17-2022

HPE NonStop NS3 X2 CPU: before 2.96_05-17-2022

HPE NonStop NS7 X2 CPU: before 2.96_05-17-2022

HPE NonStop NS3 X3 CPU: before 2.66_06-01-2022

HPE NonStop NS7 X3 CPU: before 2.66_06-01-2022

HPE NonStop NS4 X4 CPU: before 2.66_05-17-2022

HPE NonStop NS8 X4 CPU: before 2.66_05-17-2022

CPE2.3 External links

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbns04337en_us


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Return of pointer value outside of expected range

EUVDB-ID: #VU63180

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-0188

CWE-ID: CWE-466 - Return of pointer value outside of expected range

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a boundary error in the BIOS firmware. A local user can force the firmware to return pointer value outside of expected range and gain access to potentially sensitive information.


Mitigation

Install update from vendor's website.

Vulnerable software versions

HPE NonStop Virtual Tape Repository (VTR): before 2.66_05-17-2022

HPE NonStop Virtual Tape Controller (VTC) Gen9: before 2.96_05-17-2022

HPE NonStop System Console (NSC) Gen9: before 2.96_05-17-2022

HPE NonStop Storage CLIM Gen9: before 2.96_05-17-2022

HPE NonStop Network CLIM Gen9: before 2.96_05-17-2022

HPE NonStop Virtual Tape Controller (VTC) Gen10: before 2.66_05-17-2022

HPE NonStop System Console (NSC) Gen10: before 2.66_05-17-2022

HPE NonStop Storage CLIM Gen10: before 2.66_05-17-2022

HPE NonStop Network CLIM Gen10: before 2.66_05-17-2022

HPE NonStop NS2 X2: before 2.96_05-17-2022

HPE NonStop NS2 X3: before 2.66_05-17-2022

HPE NonStop NS3 X2 CPU: before 2.96_05-17-2022

HPE NonStop NS7 X2 CPU: before 2.96_05-17-2022

HPE NonStop NS3 X3 CPU: before 2.66_06-01-2022

HPE NonStop NS7 X3 CPU: before 2.66_06-01-2022

HPE NonStop NS4 X4 CPU: before 2.66_05-17-2022

HPE NonStop NS8 X4 CPU: before 2.66_05-17-2022

CPE2.3 External links

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbns04337en_us


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Unchecked Return Value

EUVDB-ID: #VU63181

Risk: Low

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-0155

CWE-ID: CWE-252 - Unchecked Return Value

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to unchecked return value in the BIOS firmware. A local user can gain access to potentially sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

HPE NonStop Virtual Tape Repository (VTR): before 2.66_05-17-2022

HPE NonStop Virtual Tape Controller (VTC) Gen9: before 2.96_05-17-2022

HPE NonStop System Console (NSC) Gen9: before 2.96_05-17-2022

HPE NonStop Storage CLIM Gen9: before 2.96_05-17-2022

HPE NonStop Network CLIM Gen9: before 2.96_05-17-2022

HPE NonStop Virtual Tape Controller (VTC) Gen10: before 2.66_05-17-2022

HPE NonStop System Console (NSC) Gen10: before 2.66_05-17-2022

HPE NonStop Storage CLIM Gen10: before 2.66_05-17-2022

HPE NonStop Network CLIM Gen10: before 2.66_05-17-2022

HPE NonStop NS2 X2: before 2.96_05-17-2022

HPE NonStop NS2 X3: before 2.66_05-17-2022

HPE NonStop NS3 X2 CPU: before 2.96_05-17-2022

HPE NonStop NS7 X2 CPU: before 2.96_05-17-2022

HPE NonStop NS3 X3 CPU: before 2.66_06-01-2022

HPE NonStop NS7 X3 CPU: before 2.66_06-01-2022

HPE NonStop NS4 X4 CPU: before 2.66_05-17-2022

HPE NonStop NS8 X4 CPU: before 2.66_05-17-2022

CPE2.3 External links

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbns04337en_us


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###