Vulnerability Details : CVE-2020-7131
This document describes a security vulnerability in Blade Maintenance Entity, Integrated Maintenance Entity and Maintenance Entity products. All J/H-series NonStop systems have a security vulnerability associated with an open UDP port 17185 on the Maintenance LAN which could result in information disclosure, denial-of-service attacks or local memory corruption against the affected system and a complete control of the system may also be possible. This vulnerability exists only if one gains access to the Maintenance LAN to which Blade Maintenance Entity, Integrated Maintenance Entity or Maintenance Entity product is connected. **Workaround:** Block the UDP port 17185(In the Maintenance LAN Network Switch/Firewall). Fix: Install following SPRs, which are already available: * T1805A01^AAI (Integrated Maintenance Entity) * T4805A01^AAZ (Blade Maintenance Entity). These SPRs are also usable with the following RVUs: * J06.19.00 ? J06.23.01. No fix planned for the following RVUs: J06.04.00 ? J06.18.01. No fix planned for H-Series NonStop systems. No fix planned for the product T2805 (Maintenance Entity).
Vulnerability category: Memory CorruptionDenial of serviceInformation leak
Exploit prediction scoring system (EPSS) score for CVE-2020-7131
Probability of exploitation activity in the next 30 days: 0.06%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 25 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2020-7131
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST |
|
9.0
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H |
2.3
|
6.0
|
NIST |
CWE ids for CVE-2020-7131
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-7131
-
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbns03996en_us
HPESBNS03996 rev.1 - HPE NonStop Blade Maintenance Entity, Integrated Maintenance Entity and Maintenance Entity, Multiple Remote VulnerabilitiesMitigation;Vendor Advisory
Products affected by CVE-2020-7131
- HP » Blade Maintenance EntityVersions from including (>=) t4805a01 and up to, including, (<=) t4805a01\^aaycpe:2.3:a:hp:blade_maintenance_entity:*:*:*:*:*:*:*:*
- HP » Integrated Maintenance EntityVersions from including (>=) t2805a01 and up to, including, (<=) t2805a01\^aaucpe:2.3:a:hp:integrated_maintenance_entity:*:*:*:*:*:*:*:*
- HP » Maintenance EntityVersions from including (>=) t1805a01 and up to, including, (<=) t1805a01\^aahcpe:2.3:a:hp:maintenance_entity:*:*:*:*:*:*:*:*