Input validation error in Certain HPE StoreEasy Servers
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2022-26006 |
| CWE-ID | CWE-20 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
StoreVirtual 3000 Storage Hardware solutions / Firmware HPE 3PAR StoreServ File Controller v3 System Hardware solutions / Firmware HPE StoreEasy 1650 Expanded Storage Hardware solutions / Firmware HPE StoreEasy 3850 Gateway Storage Hardware solutions / Firmware HPE StoreEasy 1850 Storage Hardware solutions / Firmware HPE StoreEasy 1650 Storage Hardware solutions / Firmware HPE StoreEasy 1550 Storage Hardware solutions / Firmware HPE StoreEasy 1450 Storage Hardware solutions / Firmware HPE StoreVirtual 3000 File Controller Hardware solutions / Firmware |
| Vendor | HPE |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Input validation error
EUVDB-ID: #VU69115
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-26006
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user-supplied input in the BIOS firmware. A local user can run a specially crafted program to escalate privileges on the system.
Install update from vendor's website.
Vulnerable software versionsStoreVirtual 3000 Storage: before 3.04_08_04_2022
HPE 3PAR StoreServ File Controller v3 System: before 3.04_08_04_2022
HPE StoreEasy 1650 Expanded Storage: before 3.04_08_04_2022
HPE StoreEasy 3850 Gateway Storage: before 3.04_08_04_2022
HPE StoreEasy 1850 Storage: before 3.04_08_04_2022
HPE StoreEasy 1650 Storage: before 3.04_08_04_2022
HPE StoreEasy 1550 Storage: before 3.04_08_04_2022
HPE StoreEasy 1450 Storage: before 3.04_08_04_2022
HPE StoreVirtual 3000 File Controller: before 3.04_08_04_2022
CPE2.3- cpe:2.3:h:hpe:storevirtual_3000_storage:*:*:*:*:*:*:*:*
- cpe:2.3:h:hpe:hpe_3par_storeserv_file_controller_v3_system:*:*:*:*:*:*:*:*
- cpe:2.3:h:hpe:hpe_storeeasy_1650_expanded_storage:*:*:*:*:*:*:*:*
- cpe:2.3:h:hpe:hpe_storeeasy_3850_gateway_storage:*:*:*:*:*:*:*:*
- cpe:2.3:h:hpe:hpe_storeeasy_1850_storage:*:*:*:*:*:*:*:*
- cpe:2.3:h:hpe:hpe_storeeasy_1650_storage:*:*:*:*:*:*:*:*
- cpe:2.3:h:hpe:hpe_storeeasy_1550_storage:*:*:*:*:*:*:*:*
- cpe:2.3:h:hpe:hpe_storeeasy_1450_storage:*:*:*:*:*:*:*:*
- cpe:2.3:h:hpe:hpe_storevirtual_3000_file_controller:*:*:*:*:*:*:*:*
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf04375en_us
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
