Support Center
English
0 result(s) found
No result found
HPSBMA02326 SSRT071490 rev.1 - HP Instant Support HPISDataManager.dll Running on Windows, Remote Execution of Arbitrary Code

HPSBMA02326 SSRT071490 rev.1 - HP Instant Support HPISDataManager.dll Running on Windows, Remote Execution of Arbitrary Code

Document Subtype: Security Bulletin|Document ID: c01422264|Last Updated: 2008-06-03|Release Date: 2008-04-02|Document Version: 1

Potential Security Impact: Remote execution of arbitrary code

Source: Hewlett Packard Enterprise, HPE Product Security Response Team

VULNERABILITY SUMMARY

Potential security vulnerabilities have been identified with ActiveX controls in HP Instant Support HPISDataManager.dll running on Microsoft Windows. The vulnerabilities could be remotely exploited to allow remote execution of arbitrary code.

References: CVE-2007-5604 (CERT VU#754403), CVE-2007-5605 (CERT VU#558163), CVE-2007-5606 (CERT VU#221123), CVE-2007-5607 (CERT VU#526131), CVE-2007-5608 (CERT VU#949587), CVE-2007-5610 (CERT VU#857539), CVE-2008-0952 (CERT VU#190939), CVE-2008-0953 (CERT VU#998779)

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP Instant Support HPISDataManager.dll v1.0.0.22 and earlier.

BACKGROUND

CVSS 2.0 Base Metrics
Reference
Base Vector
Base score
CVE-2007-5604
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
9.3
CVE-2007-5605
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
9.3
CVE-2007-5606
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
9.3
CVE-2007-5607
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
9.3
CVE-2007-5608
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
4.3
CVE-2007-5610
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
4.3
CVE-2008-0952
(AV:N/AC:L/Au:N/C:N/I:C/A:N)
7.8
CVE-2008-0953
(AV:N/AC:M/Au:N/C:C/I:C/A:P)
9
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.

The Hewlett-Packard Company thanks Dennis Rand of CSIS Security Research and Intelligence for reporting this vulnerability to security-alert@hp.com.

RESOLUTION

Note: The vulnerabilities exist whether HP Instant Support is in use or not. The vulnerabilities must be addressed by one of the methods described below.

HP has provided the following software update to HP Instant Support resolve these vulnerabilities:

HP Instant Support - v1.0.0.24 or later

To install HP Instant Support - v1.0.0.24 or later, choose to “launch an online diagnostic session” from the Instant Support Professional edition web site: http://www.hp.com/go/ispe  Non-HPE site

The vulnerabilities can also be resolved by the following procedure:

Set the kill bit for the vulnerable ActiveX control's Class identifier (CLSID) {14C1B87C-3342-445F-9B5E-365FF330A3AC} . The kill bit is set by modifying the data value of the Compatibility Flags DWORD value for the CLSID of this ActiveX control to 0x00000400. This is explained in Microsoft's article KB240797 or subsequent. http://support.microsoft.com/kb/240797  Non-HPE site

PRODUCT SPECIFIC INFORMATION
None

History:
Version: 1 (rev.1) - 3 June 2008 Initial release

©Copyright 2025 Hewlett Packard Enterprise Development LP
Hewlett Packard Enterprise Development shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Development and the names of Hewlett Packard Enterprise Development products referenced herein are trademarks of Hewlett Packard Enterprise Development in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
Recently Viewed
  • Instructions for installing Microsoft Windows Small Business Server 2003 R2 on HP ProLiant servers
  • HP Instant Support Enterprise Edition Client Installation and Upgrade Guide
  • CUSTOMER ADVISORY: (REVISED) HP Insight Remote Support Advanced 5.x - End of Support Life
  • Smart Array RAID Controllers Support Matrix April 3, 2013
  • Implementing Microsoft® Windows® Server 2008 R2 on HP servers, integration note
    • View more
    View less
    On This Page
    • HPSBMA02326 SSRT071490 rev.1 - HP Instant Support HPISDataManager.dll Running on Windows, Remote Execution of Arbitrary Code
      • VULNERABILITY SUMMARY
      • SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
      • BACKGROUND
      • RESOLUTION
    Legal Disclaimer: Products sold prior to the November 1, 2015 separation of Hewlett-Packard Company into Hewlett Packard Enterprise Company and HP Inc. may have older product names and model numbers that differ from current models.
    Hewlett Packard Enterprise believes in being unconditionally inclusive. Efforts to replace noninclusive terms in our active products are ongoing.
    This page has an error. You might just need to refresh it. [NoErrorObjectAvailable] lightningout:client-error:script-setup:https://support.hpe.com/connect/l/%7B%22mode%22%3A%22PROD%22%2C%22dfs%22%3A%228%22%2C%22app%22%3A%22c%3AdceLightningOutApp%22%2C%22loaded%22%3A%7B%22APPLICATION%40markup%3A%2F%2Fc%3AdceLightningOutApp%22%3A%22735_l5zZavnUSgq9PpC7BsVM2Q%22%7D%2C%22styleContext%22%3A%7B%22c%22%3A%22other%22%2C%22x%22%3A%5B%223%22%2C%22SLDS%22%2C%22isDesktop%22%5D%2C%22tokens%22%3A%5B%22markup%3A%2F%2Fforce%3AsldsTokens%22%2C%22markup%3A%2F%2Fforce%3Abase%22%2C%22markup%3A%2F%2Fforce%3AformFactorLarge%22%5D%2C%22tuid%22%3A%22KBpz0MjwkpOWRH7ZNXsSqA%22%2C%22cuid%22%3A-477949688%7D%2C%22pathPrefix%22%3A%22%2Fconnect%22%7D/app.css?3=