CVE-2023-28085 - HPE OneView Global Dashboard Appliance Dump May Expose User Credentials

In March 2023, Hewlett Packard Enterprise (HPE) published an advisory about a serious security issue: a vulnerability identified as CVE-2023-28085 in the HPE OneView Global Dashboard (OVGD) appliance. This flaw potentially allows attackers to retrieve user account credentials from appliance dump files. Here’s a detailed but easy-to-understand walkthrough of what CVE-2023-28085 is, how it works, and what you should do if you run HPE’s OVGD in your data center.

What is HPE OneView Global Dashboard (OVGD)?

HPE OneView Global Dashboard is a management tool that gives IT teams a single view and control of their HPE infrastructure resources. It’s often used in enterprise environments to simplify and centralize system admin tasks across multiple HPE OneView appliances.

The Vulnerability: CVE-2023-28085

CVE-2023-28085 describes a weakness where sensitive account credentials are stored insecurely in the OVGD appliance. Specifically, dumping the OVGD appliance’s system files (like during troubleshooting or system backup) can inadvertently expose usernames and password hashes—potentially allowing attackers to crack accounts and break into dashboards.

With this information, credentials could be brute-forced or reused in attacks against the dashboard.

HPE’s advisory is here:  
HPE Security Bulletin - CVE-2023-28085

A Closer Look: Exploiting the Vulnerability

> Note: This blog post is for education and awareness. Don’t attack systems you don’t own!

The problem centers on how OVGD stores and exports sensitive data when you create appliance dumps (either by accident, for backup, or sent to a support person for troubleshooting). These dumps may contain OVGD’s internal configuration files holding user credentials as hashes, or sometimes even in cleartext.

Gain access to the OVGD appliance dump.

- Might be as simple as asking an untrained admin to “send the system logs/dump.”

Step 2: Extract the Dump

After downloading the dump file, it is often a compressed archive (.tar.gz, .zip, etc.)

tar -xzvf ovgd-appliance-dump.tar.gz
cd ovgd-dump/

Step 3: Searching for Credentials

Credentials may be stored in SQLite databases, JSON, or plaintext config files.

Let’s look at a possible example

grep -rn "user" .
# Or scan for cleartext passwords or hashes:
grep -i -r -E 'password|pwd|passwd|hash' .

You might find entries like this in a config or db file

{
  "user": "admin",
  "passwordHash": "5f4dcc3b5aa765d61d8327deb882cf99"
}

Or, in some cases, even

{
  "user": "support",
  "password": "SuperSecretPassword123"
}

> *The string 5f4dcc3b5aa765d61d8327deb882cf99 is an MD5 hash for “password”.*

Step 4: Cracking Password Hashes

If you only get password hashes, use tools like Hashcat or John the Ripper to brute-force or dictionary-attack the hashes.

Example usage

john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 extracted_hashes.txt

Real-World Risk

If an attacker ever gets access to system dumps from OVGD—perhaps via a phishing attack or exploited backup permissions—they can:

Escalate privileges, sabotage infrastructure, or steal more data.

This is a critical exposure, especially since security controls are often weakest around backup and log data.

HPE addressed the issue in OVGD version 2.60.01 and later. The release

- Removes cleartext passwords and weak hashes from diagnostic/system dumps.

Stronger encryption and access controls on credential storage in the appliance.

Patch now!  
Download and update instructions from HPE

Never send dump files over email or untrusted channels.

5. Audit your users and rotate any old/refreshed credentials after a breach or suspicious activity.
6. Review your backup/cloud storage permissions—don’t let everyone download everything!

References

- HPE Security Advisory for CVE-2023-28085
- NIST NVD entry for CVE-2023-28085
- Hashcat password cracker
- John the Ripper password cracker

Final Thoughts

CVE-2023-28085 is a reminder that what you put into your backups, logs, or dumps can be as sensitive as your production environment itself. Always secure, encrypt, and restrict access to such files—especially in enterprise appliances.

If you run HPE OneView Global Dashboard, patch immediately and review your operational procedures for backup and support dump files. In the wrong hands, a simple file could lead to a catastrophic breach.

Stay safe, secure your infrastructure, and keep learning!

> *If you found this post helpful, share it with colleagues who manage HPE systems so they can stay safe too!*

Timeline

Published on: 04/14/2023 15:15:00 UTC
Last modified on: 04/21/2023 03:44:00 UTC