Vulnerabilities > CVE-2016-2004 - Missing Authentication for Critical Function vulnerability in HP Data Protector

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
hp
CWE-306
critical
nessus
exploit available
metasploit

Summary

HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2623.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Choosing a Message/Channel Identifier on a Public/Multicast Channel
    Attackers aware that more data is being fed into a multicast or public information distribution means can 'select' information bound only for another client, even if the distribution means itself forces users to authenticate in order to connect initially. Doing so allows the attacker to gain access to possibly privileged information, possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could change its identifier from a less privileged to more so privileged channel or command.
  • Using Unpublished Web Service APIs
    An attacker searches for and invokes Web Services APIs that the target system designers did not intend to be publicly available. If these APIs fail to authenticate requests the attacker may be able to invoke services and/or gain privileges they are not authorized for.
  • Manipulating Writeable Terminal Devices
    This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.
  • Cross Site Request Forgery (aka Session Riding)
    An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.

Exploit-Db

  • descriptionHP Data Protector A.09.00 - Arbitrary Command Execution. CVE-2016-2004. Remote exploit for windows platform
    fileexploits/windows/remote/39858.py
    idEDB-ID:39858
    last seen2016-05-26
    modified2016-05-26
    platformwindows
    port
    published2016-05-26
    reporterIan Lovering
    sourcehttps://www.exploit-db.com/download/39858/
    titleHP Data Protector A.09.00 - Arbitrary Command Execution
    typeremote
  • descriptionData Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (msf). CVE-2016-2004. Remote exploit for windows platform
    fileexploits/windows/remote/39874.rb
    idEDB-ID:39874
    last seen2016-06-01
    modified2016-05-31
    platformwindows
    port
    published2016-05-31
    reporterIan Lovering
    sourcehttps://www.exploit-db.com/download/39874/
    titleData Protector A.09.00 - Encrypted Communications Arbitrary Command Execution msf
    typeremote

Metasploit

descriptionThis module exploits a well known remote code execution exploit after establishing encrypted control communications with a Data Protector agent. This allows exploitation of Data Protector agents that have been configured to only use encrypted control communications. This exploit works by executing the payload with Microsoft PowerShell so will only work against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows Server 2008 R2.
idMSF:EXPLOIT/WINDOWS/MISC/HP_DATAPROTECTOR_ENCRYPTED_COMMS
last seen2020-06-11
modified2017-07-24
published2016-05-31
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/hp_dataprotector_encrypted_comms.rb
titleHP Data Protector Encrypted Communication Remote Command Execution

Nessus

  • NASL familyMisc.
    NASL idHP_DATA_PROTECTOR_HARDCODED_PRIVATE_KEY.NASL
    descriptionThe HP Data Protector application running on the remote host contains an embedded SSL private key that is shared across all installations. An attacker can exploit this to perform man-in-the-middle attacks against the host or have other potential impacts.
    last seen2020-06-01
    modified2020-06-02
    plugin id90941
    published2016-05-06
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/90941
    titleHP Data Protector Hard-coded Cryptographic Key (HPSBGN03580)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(90941);
      script_version("1.7");
      script_cvs_date("Date: 2018/11/15 20:50:23");
    
      script_cve_id("CVE-2016-2004");
      script_xref(name:"HP",value:"emr_na-c05085988");
      script_xref(name:"HP",value:"HPSBGN03580");
      script_xref(name:"HP",value:"SSRT102163");
      script_xref(name:"HP",value:"PSRT102293");
      script_xref(name:"CERT",value:"267328");
    
      script_name(english:"HP Data Protector Hard-coded Cryptographic Key (HPSBGN03580)");
      script_summary(english:"Checks the server public key.");
    
      script_set_attribute(attribute:"synopsis",value:
    "An application running on the remote host utilizes an embedded SSL
    private key.");
      script_set_attribute(attribute:"description",value:
    "The HP Data Protector application running on the remote host contains
    an embedded SSL private key that is shared across all installations.
    An attacker can exploit this to perform man-in-the-middle attacks
    against the host or have other potential impacts.");
      #http://h20565.www2.hpe.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c05085988 
      script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b20bcde7");
      script_set_attribute(attribute:"see_also",value:"https://www.kb.cert.org/vuls/id/267328/");
      script_set_attribute(attribute:"solution",value:
    "Apply the appropriate patch according to the vendor's advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'HP Data Protector Encrypted Communication Remote Command Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date",value:"2016/04/22");
      script_set_attribute(attribute:"patch_publication_date",value:"2016/04/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/06");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type",value:"remote");
      script_set_attribute(attribute:"cpe",value:"cpe:/a:hp:data_protector");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");
    
      script_require_keys("Settings/ParanoidReport");
      script_exclude_keys("global_settings/disable_test_ssl_based_services");
      script_require_ports("Services/hp_openview_dataprotector", 5555);
      script_dependencies("hp_data_protector_installed.nasl");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("x509_func.inc");
    include("dump.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    if (get_kb_item("global_settings/disable_test_ssl_based_services"))
        exit(1, "Not testing SSL based services per user config.");
    
    # Make sure hpdp is detected
    port = get_service(svc:'hp_openview_dataprotector', exit_on_fail:TRUE);
    
    soc = open_sock_tcp(port);
    if (!soc)
      audit(AUDIT_SOCK_FAIL, port);
    
    function inet_recv(soc)
    {
      local_var data, len;
    
      # Read 4-byte packet length
      data = recv(socket:soc, length: 4, min:4);
      if(strlen(data) != 4)
        return NULL;
    
      # Check packet length 
      len = getdword(blob: data, pos:0);
      if(len > 1024 * 1024)
        return NULL;
         
      # Read the remaining packet data
      data += recv(socket:soc, length: len, min: len);
      if(strlen(data) != len + 4)
        return NULL; 
     
      return data; 
    }
    
    function getstr(blob, pos, bom)
    {
      local_var c, cp, cn, cs, s, len;
    
      len = strlen(blob);
      if (bom == '\xff\xfe' || bom == '\xfe\xff')
      {
        if(len % 2) return NULL;
    
        cs = 2;
        cn = '\x00\x00';
        if(bom =='\xff\xfe')
          cp = 0;
        else
          cp = 1; 
      }
      else
      {
        cs = 1; 
        cp = 0;
        cn = '\x00';
      }
     
      s = NULL; 
      while(pos + cs <= len)
      {
        c = substr(blob, pos, pos + cs - 1);
        if (c == cn)
          break;
      
        s += c[cp];
        pos += cs;
      }
    
      return s;
    }
    
    function utf16(be)
    { 
      local_var i, in, out;
     
      in = _FCT_ANON_ARGS[0];
    
      if( isnull(in)) return NULL;
     
      out = NULL;
      for (i = 0; i < strlen(in); i++)
      {
        if(be)
          out += '\x00' + in[i];
        else
          out += in[i] + '\x00';
      } 
    
      # NULL-terminate the string  
      out += '\x00\x00';    
    
      return out;
    }
    
    function status()
    {
      local_var err, data, ret;
    
      err  = _FCT_ANON_ARGS[0];
      data = _FCT_ANON_ARGS[1];
    
      ret[0] = err;
      ret[1] = data;
    
      return ret;
    }
    
    function parse_proto_info()
    {
      local_var data, err, len, marker, ret;
      local_var bom, cn, cs, field, i, sp, pos;
    
      data = _FCT_ANON_ARGS[0];
    
      len = strlen(data);
    
      if(len < 6)
        return status('Invalid response packet length');
    
      pos = 4; # Skip 4-byte pkt length
      bom = substr(data, pos, pos + 1);
    
      if(bom == '\xff\xfe' || bom == '\xfe\xff')
      {
        cn = '\x00\x00';
        cs = strlen(cn);
        if(bom == '\xff\xfe')
          sp = '\x20\x00';
        else
          sp = '\x00\x20';
    
        pos += 2;
      }
      else
      {
        bom = NULL;
        cn = '\x00';
        cs = strlen(cn);
        sp = '\x20';
      }
        
      i = 0;
      repeat 
      {
        field = getstr(blob: data, pos: pos, bom: bom); 
        if(! field) 
          return status('Failed to get a string at position ' + pos); 
    
        ret[i++] = field;
    
        # Advance to next string
        pos += (strlen(field) + 1) * cs;
    
        # Get field seperator/marker 
        if (pos + cs <= len)
        {
          marker = substr(data, pos, pos + cs -1);
          if( marker != sp && marker != cn)
            return status('Invalid field separator at position ' + pos);
    
          pos += cs;
        }
        else
          return status('Failed to get a field separator at position ' + pos);
             
      } until (marker == cn);
    
      return status(NULL, ret);
      
    }  
    
    req = '\xff\xfe' +
          utf16('267') +  # MSG_PROTOCOL 
          utf16(' 10') +  # protocol type 
          utf16(' 100') + # protocol version
          utf16(' 900') + # module version 
          utf16(' 88') +  # module subversion 
          utf16(' NESSUS') + # 
          utf16(' 4') +   # protocol flags 
          utf16('');
    
    req = mkdword(strlen(req)) + req;
    send(socket: soc, data: req); 
          
    res = inet_recv(soc:soc);
    if (! res)
      audit(AUDIT_RESP_NOT, port, 'an HP Data Protector request');
    
    ret = parse_proto_info(res);
    if(ret[0])
      exit(1, 'Failed to parse response received from port ' + port +': ' + ret[0] + '.');
    
    proto_flags = ret[1][6];
    if(isnull(proto_flags))
      exit(1, 'Failed to get protocol flags in response received from service listening on port '+ port + '.');
    
    flags = uint(proto_flags);
    
    if(!(flags & 0x4))
     exit(1, 'The service listening on port '+ port + ' does not appear to have enabled encryption. Protocol flags: ' + proto_flags +'.'); 
      
    # HP DP is known to support TLSv1.0
    cert = get_server_cert(port: port, socket: soc, encaps:ENCAPS_TLSv1, encoding:"der");
    close(soc);
    
    if (isnull(cert))
    {
      exit(1, 'Failed to get server certificate for service listening on port ' + port +'.');
    }
    cert = parse_der_cert(cert:cert);
    if (isnull(cert))
    {
      exit(1, 'Failed to parse server certificate for service listening on port ' + port +'.');
    }
    
    cert = cert['tbsCertificate'];
    n = cert['subjectPublicKeyInfo'][1][0];
    e = cert['subjectPublicKeyInfo'][1][1];
    if(isnull(n) || isnull(e))
    {
      exit(1, 'Failed to extract RSA public key from certificate for service listening on port ' + port +'.');
    }
    
    fixed_n = raw_string(
      0x00, 0xA9, 0xC7, 0xD1, 0xA3, 0xBA, 0x5A, 0x84, 
      0xB3, 0xCA, 0x1D, 0xBB, 0x63, 0xA2, 0x4F, 0x6E,
      0x45, 0x88, 0xF6, 0x01, 0x20, 0xE3, 0xDD, 0x2C, 
      0xAA, 0x66, 0x87, 0x0A, 0x0A, 0x77, 0xC1, 0xB7, 
      0x00, 0x52, 0x24, 0xD0, 0x43, 0xD8, 0xAB, 0x27,
      0x60, 0x14, 0xC5, 0x97, 0xEF, 0x8C, 0x5E, 0x31,
      0x23, 0xB2, 0xA8, 0x46, 0x95, 0x6C, 0xA0, 0x06,
      0x04, 0x12, 0x13, 0xE3, 0x53, 0x85, 0x4D, 0x46,
      0xD1 
    );
    fixed_d = raw_string(
      0x00, 0x96, 0x26, 0x20, 0x51, 0xC3, 0x12, 0x20,
      0x7F, 0xFC, 0x44, 0x95, 0x1F, 0xC5, 0x40, 0xA8,
      0x0E, 0x18, 0xD5, 0x2F, 0x24, 0x4E, 0x40, 0xA1,
      0x2A, 0xC5, 0xE7, 0xB1, 0x4A, 0x96, 0xA4, 0x9B,
      0xD8, 0xDD, 0x08, 0x3A, 0xCB, 0x95, 0x7F, 0xC5,
      0x7D, 0xAB, 0x9F, 0x9A, 0x82, 0x29, 0xF8, 0x55,
      0x3E, 0x1E, 0xE6, 0x9D, 0xDD, 0x3B, 0x96, 0x92,
      0xF3, 0xFE, 0x43, 0xD5, 0x1D, 0x15, 0xD9, 0x2B,
      0xED
    );
    
    if(e == '\x01\x00\x01' && n == fixed_n)
    {
      report =  
        'Nessus detected the following RSA modulus : ' + 
        '\n' +
        '\n' + hexdump(ddata:fixed_n) +
        '\nwith its corresponding private exponent being : '+
        '\n' + hexdump(ddata:fixed_d)+ 
        '\nwhich appears to be shared among multiple HP Data Protector installations.';
    
      security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
    }
    else
      audit(AUDIT_HOST_NOT, 'affected');
      
    
  • NASL familyMisc.
    NASL idHP_DATA_PROTECTOR_HPSBGN03580.NASL
    descriptionThe version of HP Data Protector installed on the remote host is 7.0x prior to 7.03 build 108, 8.1x prior to 8.15, or 9.0x prior to 9.06. It is, therefore, affected by the following vulnerabilities : - A security feature bypass vulnerability exists, known as Bar Mitzvah, due to improper combination of state data with key data by the RC4 cipher algorithm during the initialization phase. A man-in-the-middle attacker can exploit this, via a brute-force attack using LSB values, to decrypt the traffic. (CVE-2015-2808) - A flaw exists due to a failure to authenticate users, even with Encrypted Control Communications enabled. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-2004) - Multiple overflow conditions exist due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these issues, via specially crafted
    last seen2020-06-01
    modified2020-06-02
    plugin id90796
    published2016-04-29
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90796
    titleHP Data Protector 7.0x < 7.03 build 108 / 8.1x < 8.15 / 9.0x < 9.06 Multiple Vulnerabilities (HPSBGN03580) (Bar Mitzvah)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(90796);
      script_version("1.14");
      script_cvs_date("Date: 2019/02/25 15:45:55");
    
      script_cve_id(
        "CVE-2015-2808",
        "CVE-2016-2004",
        "CVE-2016-2005",
        "CVE-2016-2006",
        "CVE-2016-2007",
        "CVE-2016-2008"
      );
      script_bugtraq_id(
        73684,
        87037,
        87040,
        87053,
        87055,
        87061
      );
      script_xref(name:"CERT", value:"267328");
      script_xref(name:"EDB-ID", value:"39858");
      script_xref(name:"HP",value:"emr_na-c05085988");
      script_xref(name:"HP",value:"HPSBGN03580");
      script_xref(name:"HP",value:"SSRT102163");
      script_xref(name:"HP",value:"PSRT102293");
      script_xref(name:"HP",value:"PSRT102979");
      script_xref(name:"HP",value:"PSRT102980");
      script_xref(name:"HP",value:"PSRT102981");
      script_xref(name:"HP",value:"PSRT102956");
      script_xref(name:"HP",value:"PSRT102948");
      script_xref(name:"ZDI", value:"ZDI-16-245");
      script_xref(name:"ZDI", value:"ZDI-16-246");
      script_xref(name:"ZDI", value:"ZDI-16-247");
    
      script_name(english:"HP Data Protector 7.0x < 7.03 build 108 / 8.1x < 8.15 / 9.0x < 9.06 Multiple Vulnerabilities (HPSBGN03580) (Bar Mitzvah)");
      script_summary(english:"Checks versions");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of HP Data Protector installed on the remote host is 7.0x
    prior to 7.03 build 108, 8.1x prior to 8.15, or 9.0x prior to 9.06. It
    is, therefore, affected by the following vulnerabilities :
    
      - A security feature bypass vulnerability exists, known as
        Bar Mitzvah, due to improper combination of state data
        with key data by the RC4 cipher algorithm during the
        initialization phase. A man-in-the-middle attacker can
        exploit this, via a brute-force attack using LSB values,
        to decrypt the traffic. (CVE-2015-2808)
    
      - A flaw exists due to a failure to authenticate users,
        even with Encrypted Control Communications enabled. An
        unauthenticated, remote attacker can exploit this to
        execute arbitrary code. (CVE-2016-2004)
    
      - Multiple overflow conditions exist due to improper
        validation of user-supplied input. An unauthenticated,
        remote attacker can exploit these issues, via specially
        crafted 'User Name' or 'Domain' field in an EXEC_BAR
        request, to cause a stack-based buffer overflow,
        resulting in a denial of service or the execution of
        arbitrary code. (CVE-2016-2005, CVE-2016-2006)
    
      - An overflow condition exists due to improper validation
        of user-supplied input. An unauthenticated, remote
        attacker can exploit this, via specially crafted
        EXEC_SCRIPT request, to cause a stack-based buffer
        overflow, resulting in a denial of service or the
        execution of arbitrary code. (CVE-2016-2007)
    
      - An unspecified flaw exists that allows an
        unauthenticated, remote attacker to disclose sensitive
        information or execute arbitrary code. (CVE-2016-2008)");
      # http://h20565.www2.hpe.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c05085988
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b20bcde7");
      # https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdf
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4bbf45ac");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-16-245/");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-16-246/");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-16-247/");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to HP Data Protector 7.03 build 108 (7.03_108) / 8.15 / 9.06
    or later per the vendor advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2007");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'HP Data Protector Encrypted Communication Remote Command Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/04/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/29");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:storage_data_protector");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_require_ports("Services/hp_openview_dataprotector", 5555);
      script_dependencies("os_fingerprint.nasl", "ssh_get_info.nasl", "hp_data_protector_installed.nasl", "hp_data_protector_installed_local.nasl");
      script_require_keys("Services/data_protector/version");
    
      exit(0);
    }
    
    include("hp_data_protector_version.inc");
    
    port = get_service(svc:'hp_openview_dataprotector', default:5555, exit_on_fail:TRUE);
    
    # patterns matching affected platforms
    hpux_pat = "^11\.(11|23|31)$";
    solaris_pat = "^5(\.|$|[^0-9])";
    windows_pat = "^(5\.2|6\.\d+)$";
    linux_pat = "(el[4-7]|Server release [4-7]|SLES(9|10|11))(\.|$|[^0-9])";
    
    # patterns for matching against affected versions
    ver_700_pat = "^A\.07\.0[0-3]$";
    ver_800_pat = "^A\.08\.1[0-4]$";
    ver_900_pat = "^A\.09\.0[0-5]$";
    
    hp_data_protector_check(os:"hpux",
                            os_version_pat: hpux_pat,
                            version_pat: ver_700_pat,
                            fixed_internal_build: 108,
                            severity: SECURITY_HOLE,
                            port:port);
    
    hp_data_protector_check(os:"linux",
                            os_version_pat: linux_pat,
                            version_pat: ver_700_pat,
                            fixed_internal_build: 108,
                            severity: SECURITY_HOLE,
                            port:port);
    
    hp_data_protector_check(os:"windows",
                            os_version_pat: windows_pat,
                            version_pat: ver_700_pat,
                            fixed_internal_build: 108,
                            severity: SECURITY_HOLE,
                            port:port);
    
    ## 8.1x
    
    hp_data_protector_check(os:"hpux",
                            os_version_pat: hpux_pat,
                            version_pat: ver_800_pat,
                            fixed_internal_build: 211,
                            severity: SECURITY_HOLE,
                            port:port);
    
    hp_data_protector_check(os:"linux",
                            os_version_pat: linux_pat,
                            version_pat: ver_800_pat,
                            fixed_internal_build: 211,
                            severity: SECURITY_HOLE,
                            port:port);
    
    hp_data_protector_check(os:"windows",
                            os_version_pat: windows_pat,
                            version_pat: ver_800_pat,
                            fixed_internal_build: 211,
                            severity: SECURITY_HOLE,
                            port:port);
    
    ## 9.0x
    
    hp_data_protector_check(os:"hpux",
                            os_version_pat: hpux_pat,
                            version_pat: ver_900_pat,
                            fixed_internal_build: 107,
                            severity: SECURITY_HOLE,
                            port:port);
    
    hp_data_protector_check(os:"linux",
                            os_version_pat: linux_pat,
                            version_pat: ver_900_pat,
                            fixed_internal_build: 107,
                            severity: SECURITY_HOLE,
                            port:port);
    
    hp_data_protector_check(os:"windows",
                            os_version_pat: windows_pat,
                            version_pat: ver_900_pat,
                            fixed_internal_build: 107,
                            severity: SECURITY_HOLE,
                            port:port);
    
    hp_data_protector_check_exit(port:port);
    

Packetstorm

Saint

descriptionHP Data Protector missing authentication
idnet_openview_hpdataprotssl
titlehp_data_protector_auth
typeremote