RESOLUTION
The vulnerability can be resolved by enabling the Secure Channel feature. This resolution requires installation of LoadRunner v9.50 or subsequent.
Note: Starting with version 9.50 LoadRunner has provided a documented feature called Secure Channel. Secure Channel prevents non-trusted sources from transmitting code to the Load Generators by establishing an encrypted and secured communication channel. Secure Channel is disabled by default.
There are detailed instructions regarding Secure Channel in the HP LoadRunner Controller User's Guide. See the chapter 'Secure Host Communication'. The chapter sections 'Local Security Configuration' and 'Remote Security Configuration' have instructions to enforce secure communication using the Secure Channel feature. Using Secure Channel involves both enabling the Secure Channel feature and setting the security key.
PRODUCT SPECIFIC INFORMATION
None
Use of the Virtual PC memory protection bug to bypass anti-exploitation
mechanisms of the Guest OS is just one security relevant use case.
Leveraging read access to leaked memory to obtain confidential or
otherwise sensitive information and/or use of write access to leaked
memory pages to establish a communication channel with another Guest OS
are other potential attacks that were not investigated.
9. *Report Timeline*
RESOLUTION
The vulnerability can be resolved by enabling the Secure Channel feature. This resolution requires installation of HP Performance Center v9.50 or subsequent.
Note: Starting with version 9.50 HP Performance Center has provided a documented feature called Secure Communication. Secure Communication prevents non-trusted sources from transmitting code to the Load Generators by establishing an encrypted and secured communication channel. Secure Communication is disabled by default.
There are detailed instructions regarding Secure Communication in the HP Performance Center System Configuration and Installation Guide. See the 'Configuration' chapter, 'Recommended Configuration' section. The chapter section 'Configuring Host Security Settings.' has instructions to enforce Secure Communication. Using Secure Communication involves both enabling 'enforce secure communication' and setting the security key.
PRODUCT SPECIFIC INFORMATION
None
August 17, 2009: Nguyen Minh Duc asked Blue Moon Consulting to provide more technical information about the vulnerability based on VNCERT's request.
August 19, 2009: Blue Moon Consulting replied with clear reasons why BKAV had voluntarily denied itself from such information. Blue Moon Consulting also requested that written request should be made if further assistance was required.
August 24, 2009: Nguyen Minh Duc did not use official communication channel, and therefore was ignored.
:Public disclosure:
September 01, 2009
Recommendations:
----------------
WhatsApp users are advised to confirm messages with important content
on a different communication channel.
Advisory URL:
-------------
https://www.sec-consult.sg/advisories.html
