search menu icon-carat-right cmu-wordmark

CERT Coordination Center

HP Data Protector does not perform authentication and contains an embedded SSL private key

Vulnerability Note VU#267328

Original Release Date: 2016-04-22 | Last Revised: 2016-04-22


The HP Data Protector does not perform user authentication, even when Encrypted Control Communications is enabled, and contains an embedded SSL private key that is shared among all installations.


CWE-306: Missing Authentication for Critical Function - CVE-2016-2004

Data Protector does not authenticate users, even with Encrypted Control Communications enabled. An unauthenticated remote attacker may be able to execute code on the server hosting Data Protector.

CWE-321: Use of Hard-coded Cryptographic Key

Data Protector contains an embedded SSL private key. This private key appears to be shared among all installations of Data Protector.

Data Protector versions 7, 8, and 9 are affected; other versions may also be impacted.


An unauthenticated remote attacker may be able to execute code on the server, or perform man-in-the-middle attacks against the server.


Apply an update

HP has released updates to Data Protector version 7, 8, and 9 to address these issues.

Affected users may consider the following workaround:

Restrict Network Access

As a general good security practice, only allow connections from trusted hosts and networks. Consult your firewall product's manual for more information.

Vendor Information


Hewlett Packard Enterprise Affected

Notified:  November 11, 2015 Updated: April 22, 2016

Statement Date:   April 19, 2016



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal 8.4 E:POC/RL:U/RC:C
Environmental 6.3 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND



Thanks to Ian Lovering for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2016-2004
Date Public: 2016-04-18
Date First Published: 2016-04-22
Date Last Updated: 2016-04-22 16:56 UTC
Document Revision: 38

Sponsored by CISA.