Vulnerability Note VU#267328
HP Data Protector does not perform authentication and contains an embedded SSL private key
Original Release date: 22 Apr 2016 | Last revised: 22 Apr 2016

Overview
The HP Data Protector does not perform user authentication, even when Encrypted Control Communications is enabled, and contains an embedded SSL private key that is shared among all installations.

Description
CWE-306: Missing Authentication for Critical Function – CVE-2016-2004
Data Protector does not authenticate users, even with Encrypted Control Communications enabled.

An unauthenticated remote attacker may be able to execute code on the server hosting Data Protector.

CWE-321: Use of Hard-coded Cryptographic Key

Data Protector contains an embedded SSL private key.

This private key appears to be shared among all installations of Data Protector.

Data Protector versions 7, 8, and 9 are affected; other versions may also be impacted.

Impact
An unauthenticated remote attacker may be able to execute code on the server, or perform man-in-the-middle attacks against the server.

Solution
Apply an update

HP has released updates to Data Protector version 7, 8, and 9 to address these issues.

Affected users may consider the following workaround:
Restrict Network Access

As a general good security practice, only allow connections from trusted hosts and networks.

Consult your firewall product’s manual for more information.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedHewlett Packard EnterpriseAffected11 Nov 201522 Apr 2016If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal
8.4
E:POC/RL:U/RC:C

Environmental
6.3
CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05085988

Credit

Thanks to Ian Lovering for reporting this vulnerability.
This document was written by Garret Wassermann.

Other Information

CVE IDs:
CVE-2016-2004

Date Public:
18 Apr 2016

Date First Published:
22 Apr 2016

Date Last Updated:
22 Apr 2016

Document Revision:
37

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.