The HP Data Protector does not perform user authentication, even when Encrypted Control Communications is enabled, and contains an embedded SSL private key that is shared among all installations.
CWE-306: Missing Authentication for Critical Function - CVE-2016-2004
Data Protector does not authenticate users, even with Encrypted Control Communications enabled. An unauthenticated remote attacker may be able to execute code on the server hosting Data Protector.
An unauthenticated remote attacker may be able to execute code on the server, or perform man-in-the-middle attacks against the server.
Apply an update
Restrict Network Access
Thanks to Ian Lovering for reporting this vulnerability.
This document was written by Garret Wassermann.
|Date First Published:||2016-04-22|
|Date Last Updated:||2016-04-22 16:56 UTC|