CERTVU:267328HP Data Protector does not perform authentication and contains an embedded SSL private key
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.369 Low
EPSS
Percentile
97.2%
Overview
The HP Data Protector does not perform user authentication, even when Encrypted Control Communications is enabled, and contains an embedded SSL private key that is shared among all installations.
Description
CWE-306**: Missing Authentication for Critical Function -**CVE-2016-2004
Data Protector does not authenticate users, even with Encrypted Control Communications enabled. An unauthenticated remote attacker may be able to execute code on the server hosting Data Protector.
CWE-321: Use of Hard-coded Cryptographic Key
Data Protector contains an embedded SSL private key. This private key appears to be shared among all installations of Data Protector.
Data Protector versions 7, 8, and 9 are affected; other versions may also be impacted.
Impact
An unauthenticated remote attacker may be able to execute code on the server, or perform man-in-the-middle attacks against the server.
Solution
Apply an update
HP has released updates to Data Protector version 7, 8, and 9 to address these issues.
Affected users may consider the following workaround:
Restrict Network Access
As a general good security practice, only allow connections from trusted hosts and networks. Consult your firewall product’s manual for more information.
Vendor Information
267328
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Hewlett Packard Enterprise Affected
Notified: November 11, 2015 Updated: April 22, 2016
Statement Date: April 19, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C |
| Temporal | 8.4 | E:POC/RL:U/RC:C |
| Environmental | 6.3 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
<https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05085988>
Acknowledgements
Thanks to Ian Lovering for reporting this vulnerability.
This document was written by Garret Wassermann.
Other Information
| CVE IDs: | CVE-2016-2004 |
|---|---|
| Date Public: | 2016-04-18 Date First Published: |
Related
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.369 Low
EPSS
Percentile
97.2%