Vulnerabilities > CVE-2016-2004 - Missing Authentication for Critical Function vulnerability in HP Data Protector
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2623.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 6 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Choosing a Message/Channel Identifier on a Public/Multicast Channel Attackers aware that more data is being fed into a multicast or public information distribution means can 'select' information bound only for another client, even if the distribution means itself forces users to authenticate in order to connect initially. Doing so allows the attacker to gain access to possibly privileged information, possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could change its identifier from a less privileged to more so privileged channel or command.
- Using Unpublished Web Service APIs An attacker searches for and invokes Web Services APIs that the target system designers did not intend to be publicly available. If these APIs fail to authenticate requests the attacker may be able to invoke services and/or gain privileges they are not authorized for.
- Manipulating Writeable Terminal Devices This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.
- Cross Site Request Forgery (aka Session Riding) An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.
Exploit-Db
description HP Data Protector A.09.00 - Arbitrary Command Execution. CVE-2016-2004. Remote exploit for windows platform file exploits/windows/remote/39858.py id EDB-ID:39858 last seen 2016-05-26 modified 2016-05-26 platform windows port published 2016-05-26 reporter Ian Lovering source https://www.exploit-db.com/download/39858/ title HP Data Protector A.09.00 - Arbitrary Command Execution type remote description Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (msf). CVE-2016-2004. Remote exploit for windows platform file exploits/windows/remote/39874.rb id EDB-ID:39874 last seen 2016-06-01 modified 2016-05-31 platform windows port published 2016-05-31 reporter Ian Lovering source https://www.exploit-db.com/download/39874/ title Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution msf type remote
Metasploit
| description | This module exploits a well known remote code execution exploit after establishing encrypted control communications with a Data Protector agent. This allows exploitation of Data Protector agents that have been configured to only use encrypted control communications. This exploit works by executing the payload with Microsoft PowerShell so will only work against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows Server 2008 R2. |
| id | MSF:EXPLOIT/WINDOWS/MISC/HP_DATAPROTECTOR_ENCRYPTED_COMMS |
| last seen | 2020-06-11 |
| modified | 2017-07-24 |
| published | 2016-05-31 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/hp_dataprotector_encrypted_comms.rb |
| title | HP Data Protector Encrypted Communication Remote Command Execution |
Nessus
NASL family Misc. NASL id HP_DATA_PROTECTOR_HARDCODED_PRIVATE_KEY.NASL description The HP Data Protector application running on the remote host contains an embedded SSL private key that is shared across all installations. An attacker can exploit this to perform man-in-the-middle attacks against the host or have other potential impacts. last seen 2020-06-01 modified 2020-06-02 plugin id 90941 published 2016-05-06 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/90941 title HP Data Protector Hard-coded Cryptographic Key (HPSBGN03580) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(90941); script_version("1.7"); script_cvs_date("Date: 2018/11/15 20:50:23"); script_cve_id("CVE-2016-2004"); script_xref(name:"HP",value:"emr_na-c05085988"); script_xref(name:"HP",value:"HPSBGN03580"); script_xref(name:"HP",value:"SSRT102163"); script_xref(name:"HP",value:"PSRT102293"); script_xref(name:"CERT",value:"267328"); script_name(english:"HP Data Protector Hard-coded Cryptographic Key (HPSBGN03580)"); script_summary(english:"Checks the server public key."); script_set_attribute(attribute:"synopsis",value: "An application running on the remote host utilizes an embedded SSL private key."); script_set_attribute(attribute:"description",value: "The HP Data Protector application running on the remote host contains an embedded SSL private key that is shared across all installations. An attacker can exploit this to perform man-in-the-middle attacks against the host or have other potential impacts."); #http://h20565.www2.hpe.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c05085988 script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b20bcde7"); script_set_attribute(attribute:"see_also",value:"https://www.kb.cert.org/vuls/id/267328/"); script_set_attribute(attribute:"solution",value: "Apply the appropriate patch according to the vendor's advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'HP Data Protector Encrypted Communication Remote Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date",value:"2016/04/22"); script_set_attribute(attribute:"patch_publication_date",value:"2016/04/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/06"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type",value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:hp:data_protector"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc."); script_require_keys("Settings/ParanoidReport"); script_exclude_keys("global_settings/disable_test_ssl_based_services"); script_require_ports("Services/hp_openview_dataprotector", 5555); script_dependencies("hp_data_protector_installed.nasl"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("x509_func.inc"); include("dump.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); if (get_kb_item("global_settings/disable_test_ssl_based_services")) exit(1, "Not testing SSL based services per user config."); # Make sure hpdp is detected port = get_service(svc:'hp_openview_dataprotector', exit_on_fail:TRUE); soc = open_sock_tcp(port); if (!soc) audit(AUDIT_SOCK_FAIL, port); function inet_recv(soc) { local_var data, len; # Read 4-byte packet length data = recv(socket:soc, length: 4, min:4); if(strlen(data) != 4) return NULL; # Check packet length len = getdword(blob: data, pos:0); if(len > 1024 * 1024) return NULL; # Read the remaining packet data data += recv(socket:soc, length: len, min: len); if(strlen(data) != len + 4) return NULL; return data; } function getstr(blob, pos, bom) { local_var c, cp, cn, cs, s, len; len = strlen(blob); if (bom == '\xff\xfe' || bom == '\xfe\xff') { if(len % 2) return NULL; cs = 2; cn = '\x00\x00'; if(bom =='\xff\xfe') cp = 0; else cp = 1; } else { cs = 1; cp = 0; cn = '\x00'; } s = NULL; while(pos + cs <= len) { c = substr(blob, pos, pos + cs - 1); if (c == cn) break; s += c[cp]; pos += cs; } return s; } function utf16(be) { local_var i, in, out; in = _FCT_ANON_ARGS[0]; if( isnull(in)) return NULL; out = NULL; for (i = 0; i < strlen(in); i++) { if(be) out += '\x00' + in[i]; else out += in[i] + '\x00'; } # NULL-terminate the string out += '\x00\x00'; return out; } function status() { local_var err, data, ret; err = _FCT_ANON_ARGS[0]; data = _FCT_ANON_ARGS[1]; ret[0] = err; ret[1] = data; return ret; } function parse_proto_info() { local_var data, err, len, marker, ret; local_var bom, cn, cs, field, i, sp, pos; data = _FCT_ANON_ARGS[0]; len = strlen(data); if(len < 6) return status('Invalid response packet length'); pos = 4; # Skip 4-byte pkt length bom = substr(data, pos, pos + 1); if(bom == '\xff\xfe' || bom == '\xfe\xff') { cn = '\x00\x00'; cs = strlen(cn); if(bom == '\xff\xfe') sp = '\x20\x00'; else sp = '\x00\x20'; pos += 2; } else { bom = NULL; cn = '\x00'; cs = strlen(cn); sp = '\x20'; } i = 0; repeat { field = getstr(blob: data, pos: pos, bom: bom); if(! field) return status('Failed to get a string at position ' + pos); ret[i++] = field; # Advance to next string pos += (strlen(field) + 1) * cs; # Get field seperator/marker if (pos + cs <= len) { marker = substr(data, pos, pos + cs -1); if( marker != sp && marker != cn) return status('Invalid field separator at position ' + pos); pos += cs; } else return status('Failed to get a field separator at position ' + pos); } until (marker == cn); return status(NULL, ret); } req = '\xff\xfe' + utf16('267') + # MSG_PROTOCOL utf16(' 10') + # protocol type utf16(' 100') + # protocol version utf16(' 900') + # module version utf16(' 88') + # module subversion utf16(' NESSUS') + # utf16(' 4') + # protocol flags utf16(''); req = mkdword(strlen(req)) + req; send(socket: soc, data: req); res = inet_recv(soc:soc); if (! res) audit(AUDIT_RESP_NOT, port, 'an HP Data Protector request'); ret = parse_proto_info(res); if(ret[0]) exit(1, 'Failed to parse response received from port ' + port +': ' + ret[0] + '.'); proto_flags = ret[1][6]; if(isnull(proto_flags)) exit(1, 'Failed to get protocol flags in response received from service listening on port '+ port + '.'); flags = uint(proto_flags); if(!(flags & 0x4)) exit(1, 'The service listening on port '+ port + ' does not appear to have enabled encryption. Protocol flags: ' + proto_flags +'.'); # HP DP is known to support TLSv1.0 cert = get_server_cert(port: port, socket: soc, encaps:ENCAPS_TLSv1, encoding:"der"); close(soc); if (isnull(cert)) { exit(1, 'Failed to get server certificate for service listening on port ' + port +'.'); } cert = parse_der_cert(cert:cert); if (isnull(cert)) { exit(1, 'Failed to parse server certificate for service listening on port ' + port +'.'); } cert = cert['tbsCertificate']; n = cert['subjectPublicKeyInfo'][1][0]; e = cert['subjectPublicKeyInfo'][1][1]; if(isnull(n) || isnull(e)) { exit(1, 'Failed to extract RSA public key from certificate for service listening on port ' + port +'.'); } fixed_n = raw_string( 0x00, 0xA9, 0xC7, 0xD1, 0xA3, 0xBA, 0x5A, 0x84, 0xB3, 0xCA, 0x1D, 0xBB, 0x63, 0xA2, 0x4F, 0x6E, 0x45, 0x88, 0xF6, 0x01, 0x20, 0xE3, 0xDD, 0x2C, 0xAA, 0x66, 0x87, 0x0A, 0x0A, 0x77, 0xC1, 0xB7, 0x00, 0x52, 0x24, 0xD0, 0x43, 0xD8, 0xAB, 0x27, 0x60, 0x14, 0xC5, 0x97, 0xEF, 0x8C, 0x5E, 0x31, 0x23, 0xB2, 0xA8, 0x46, 0x95, 0x6C, 0xA0, 0x06, 0x04, 0x12, 0x13, 0xE3, 0x53, 0x85, 0x4D, 0x46, 0xD1 ); fixed_d = raw_string( 0x00, 0x96, 0x26, 0x20, 0x51, 0xC3, 0x12, 0x20, 0x7F, 0xFC, 0x44, 0x95, 0x1F, 0xC5, 0x40, 0xA8, 0x0E, 0x18, 0xD5, 0x2F, 0x24, 0x4E, 0x40, 0xA1, 0x2A, 0xC5, 0xE7, 0xB1, 0x4A, 0x96, 0xA4, 0x9B, 0xD8, 0xDD, 0x08, 0x3A, 0xCB, 0x95, 0x7F, 0xC5, 0x7D, 0xAB, 0x9F, 0x9A, 0x82, 0x29, 0xF8, 0x55, 0x3E, 0x1E, 0xE6, 0x9D, 0xDD, 0x3B, 0x96, 0x92, 0xF3, 0xFE, 0x43, 0xD5, 0x1D, 0x15, 0xD9, 0x2B, 0xED ); if(e == '\x01\x00\x01' && n == fixed_n) { report = 'Nessus detected the following RSA modulus : ' + '\n' + '\n' + hexdump(ddata:fixed_n) + '\nwith its corresponding private exponent being : '+ '\n' + hexdump(ddata:fixed_d)+ '\nwhich appears to be shared among multiple HP Data Protector installations.'; security_report_v4(port:port, extra:report, severity:SECURITY_HOLE); } else audit(AUDIT_HOST_NOT, 'affected');NASL family Misc. NASL id HP_DATA_PROTECTOR_HPSBGN03580.NASL description The version of HP Data Protector installed on the remote host is 7.0x prior to 7.03 build 108, 8.1x prior to 8.15, or 9.0x prior to 9.06. It is, therefore, affected by the following vulnerabilities : - A security feature bypass vulnerability exists, known as Bar Mitzvah, due to improper combination of state data with key data by the RC4 cipher algorithm during the initialization phase. A man-in-the-middle attacker can exploit this, via a brute-force attack using LSB values, to decrypt the traffic. (CVE-2015-2808) - A flaw exists due to a failure to authenticate users, even with Encrypted Control Communications enabled. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-2004) - Multiple overflow conditions exist due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these issues, via specially crafted last seen 2020-06-01 modified 2020-06-02 plugin id 90796 published 2016-04-29 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90796 title HP Data Protector 7.0x < 7.03 build 108 / 8.1x < 8.15 / 9.0x < 9.06 Multiple Vulnerabilities (HPSBGN03580) (Bar Mitzvah) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(90796); script_version("1.14"); script_cvs_date("Date: 2019/02/25 15:45:55"); script_cve_id( "CVE-2015-2808", "CVE-2016-2004", "CVE-2016-2005", "CVE-2016-2006", "CVE-2016-2007", "CVE-2016-2008" ); script_bugtraq_id( 73684, 87037, 87040, 87053, 87055, 87061 ); script_xref(name:"CERT", value:"267328"); script_xref(name:"EDB-ID", value:"39858"); script_xref(name:"HP",value:"emr_na-c05085988"); script_xref(name:"HP",value:"HPSBGN03580"); script_xref(name:"HP",value:"SSRT102163"); script_xref(name:"HP",value:"PSRT102293"); script_xref(name:"HP",value:"PSRT102979"); script_xref(name:"HP",value:"PSRT102980"); script_xref(name:"HP",value:"PSRT102981"); script_xref(name:"HP",value:"PSRT102956"); script_xref(name:"HP",value:"PSRT102948"); script_xref(name:"ZDI", value:"ZDI-16-245"); script_xref(name:"ZDI", value:"ZDI-16-246"); script_xref(name:"ZDI", value:"ZDI-16-247"); script_name(english:"HP Data Protector 7.0x < 7.03 build 108 / 8.1x < 8.15 / 9.0x < 9.06 Multiple Vulnerabilities (HPSBGN03580) (Bar Mitzvah)"); script_summary(english:"Checks versions"); script_set_attribute(attribute:"synopsis", value: "The remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of HP Data Protector installed on the remote host is 7.0x prior to 7.03 build 108, 8.1x prior to 8.15, or 9.0x prior to 9.06. It is, therefore, affected by the following vulnerabilities : - A security feature bypass vulnerability exists, known as Bar Mitzvah, due to improper combination of state data with key data by the RC4 cipher algorithm during the initialization phase. A man-in-the-middle attacker can exploit this, via a brute-force attack using LSB values, to decrypt the traffic. (CVE-2015-2808) - A flaw exists due to a failure to authenticate users, even with Encrypted Control Communications enabled. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-2004) - Multiple overflow conditions exist due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these issues, via specially crafted 'User Name' or 'Domain' field in an EXEC_BAR request, to cause a stack-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. (CVE-2016-2005, CVE-2016-2006) - An overflow condition exists due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via specially crafted EXEC_SCRIPT request, to cause a stack-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. (CVE-2016-2007) - An unspecified flaw exists that allows an unauthenticated, remote attacker to disclose sensitive information or execute arbitrary code. (CVE-2016-2008)"); # http://h20565.www2.hpe.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c05085988 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b20bcde7"); # https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdf script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4bbf45ac"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-16-245/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-16-246/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-16-247/"); script_set_attribute(attribute:"solution", value: "Upgrade to HP Data Protector 7.03 build 108 (7.03_108) / 8.15 / 9.06 or later per the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2007"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'HP Data Protector Encrypted Communication Remote Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/19"); script_set_attribute(attribute:"patch_publication_date", value:"2016/04/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/29"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:storage_data_protector"); script_set_attribute(attribute:"in_the_news", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_require_ports("Services/hp_openview_dataprotector", 5555); script_dependencies("os_fingerprint.nasl", "ssh_get_info.nasl", "hp_data_protector_installed.nasl", "hp_data_protector_installed_local.nasl"); script_require_keys("Services/data_protector/version"); exit(0); } include("hp_data_protector_version.inc"); port = get_service(svc:'hp_openview_dataprotector', default:5555, exit_on_fail:TRUE); # patterns matching affected platforms hpux_pat = "^11\.(11|23|31)$"; solaris_pat = "^5(\.|$|[^0-9])"; windows_pat = "^(5\.2|6\.\d+)$"; linux_pat = "(el[4-7]|Server release [4-7]|SLES(9|10|11))(\.|$|[^0-9])"; # patterns for matching against affected versions ver_700_pat = "^A\.07\.0[0-3]$"; ver_800_pat = "^A\.08\.1[0-4]$"; ver_900_pat = "^A\.09\.0[0-5]$"; hp_data_protector_check(os:"hpux", os_version_pat: hpux_pat, version_pat: ver_700_pat, fixed_internal_build: 108, severity: SECURITY_HOLE, port:port); hp_data_protector_check(os:"linux", os_version_pat: linux_pat, version_pat: ver_700_pat, fixed_internal_build: 108, severity: SECURITY_HOLE, port:port); hp_data_protector_check(os:"windows", os_version_pat: windows_pat, version_pat: ver_700_pat, fixed_internal_build: 108, severity: SECURITY_HOLE, port:port); ## 8.1x hp_data_protector_check(os:"hpux", os_version_pat: hpux_pat, version_pat: ver_800_pat, fixed_internal_build: 211, severity: SECURITY_HOLE, port:port); hp_data_protector_check(os:"linux", os_version_pat: linux_pat, version_pat: ver_800_pat, fixed_internal_build: 211, severity: SECURITY_HOLE, port:port); hp_data_protector_check(os:"windows", os_version_pat: windows_pat, version_pat: ver_800_pat, fixed_internal_build: 211, severity: SECURITY_HOLE, port:port); ## 9.0x hp_data_protector_check(os:"hpux", os_version_pat: hpux_pat, version_pat: ver_900_pat, fixed_internal_build: 107, severity: SECURITY_HOLE, port:port); hp_data_protector_check(os:"linux", os_version_pat: linux_pat, version_pat: ver_900_pat, fixed_internal_build: 107, severity: SECURITY_HOLE, port:port); hp_data_protector_check(os:"windows", os_version_pat: windows_pat, version_pat: ver_900_pat, fixed_internal_build: 107, severity: SECURITY_HOLE, port:port); hp_data_protector_check_exit(port:port);
Packetstorm
data source https://packetstormsecurity.com/files/download/137341/hp_dataprotector_encrypted_comms.rb.txt id PACKETSTORM:137341 last seen 2016-12-05 published 2016-06-07 reporter Ian Lovering source https://packetstormsecurity.com/files/137341/HP-Data-Protector-Encrypted-Communication-Remote-Command-Execution.html title HP Data Protector Encrypted Communication Remote Command Execution data source https://packetstormsecurity.com/files/download/137199/hpdataprotectora0900-exec.txt id PACKETSTORM:137199 last seen 2016-12-05 published 2016-05-26 reporter Ian Lovering source https://packetstormsecurity.com/files/137199/HP-Data-Protector-A.09.00-Command-Execution.html title HP Data Protector A.09.00 Command Execution
Saint
| description | HP Data Protector missing authentication |
| id | net_openview_hpdataprotssl |
| title | hp_data_protector_auth |
| type | remote |
Related news
References
- http://packetstormsecurity.com/files/137199/HP-Data-Protector-A.09.00-Command-Execution.html
- http://packetstormsecurity.com/files/137341/HP-Data-Protector-Encrypted-Communication-Remote-Command-Execution.html
- http://www.kb.cert.org/vuls/id/267328
- http://www.securitytracker.com/id/1035631
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05085988
- https://www.exploit-db.com/exploits/39858/
- https://www.exploit-db.com/exploits/39874/