search menu icon-carat-right cmu-wordmark

CERT Coordination Center

HP Data Protector does not perform authentication and contains an embedded SSL private key

Vulnerability Note VU#267328

Original Release Date: 2016-04-22 | Last Revised: 2016-04-22

Overview

The HP Data Protector does not perform user authentication, even when Encrypted Control Communications is enabled, and contains an embedded SSL private key that is shared among all installations.

Description

CWE-306: Missing Authentication for Critical Function - CVE-2016-2004

Data Protector does not authenticate users, even with Encrypted Control Communications enabled. An unauthenticated remote attacker may be able to execute code on the server hosting Data Protector.

CWE-321: Use of Hard-coded Cryptographic Key

Data Protector contains an embedded SSL private key. This private key appears to be shared among all installations of Data Protector.

Data Protector versions 7, 8, and 9 are affected; other versions may also be impacted.

Impact

An unauthenticated remote attacker may be able to execute code on the server, or perform man-in-the-middle attacks against the server.

Solution

Apply an update

HP has released updates to Data Protector version 7, 8, and 9 to address these issues.

Affected users may consider the following workaround:

Restrict Network Access

As a general good security practice, only allow connections from trusted hosts and networks. Consult your firewall product's manual for more information.

Vendor Information

267328
 
Affected   Unknown   Unaffected

Hewlett Packard Enterprise

Notified:  November 11, 2015 Updated:  April 22, 2016

Statement Date:   April 19, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal 8.4 E:POC/RL:U/RC:C
Environmental 6.3 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Ian Lovering for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2016-2004
Date Public: 2016-04-18
Date First Published: 2016-04-22
Date Last Updated: 2016-04-22 16:56 UTC
Document Revision: 37

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.