----- Issue Summary ----- In default installations of HP SiteScope 11.32, access to Java Management Extensions (JMX) is allowed to unauthenticated users over port 28006. This configuration allows for remote code execution exploits. ----- Additional Details ----- HP SiteScope's help pages discuss enabling authentication for JMX as an optional step during setup, but only vaguely touch on the potential consequences of choosing not to do this step. The product is not secure-by-default, but rather requires that administrators be knowledgeable enough to understand the ramifications of allowing unauthenticated access to JMX, and for administrators to take the steps provided by HP to change that insecure configuration. At the same time, an attacker reading SiteScope's manual will realize that SiteScope can be a potent target, with credentials and other details on critical hosts in the enterprise. ----- Basic Exploitation ----- The Metasploit module exploit/multi/misc/java_jmx_server can be used to gain remote code execution. ----- Other Attacks ----- As the code execution is occuring within the SiteScope process, we can abuse this position to query SiteScope's configuration and steal credentials SiteScope would use to authenticate to other hosts. An example of such an attack can be found at: https://github.com/hantwister/SCAT ----- Mitigation Suggestions For Users ----- Follow the instructions in SiteScope help pages to configure authentication for JMX. ----- Mitigation Suggestions For HP ----- Configure a Java security policy that disallows unexpected MBeans from being instantiated. Require authentication for JMX by default, with a password randomly generated during installation, or disallow any remote JMX access until a password is configured.