Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

HP Patches Critical Vulnerabilities in Data Protector

HP has released security updates for various HP Data Protector iterations, in an attempt to patch a series of critical vulnerabilities that could result in remote code execution or disclosure of information.

HP has released security updates for various HP Data Protector iterations, in an attempt to patch a series of critical vulnerabilities that could result in remote code execution or disclosure of information.

The company’s new patches are meant to resolve six flaws in HP Data Protector, affecting all software versions prior to 7.03_108, 8.15, and 9.06. These vulnerabilities impact the Windows, HP-UX, and Linux releases of HP Data Protector, the company’s security bulletin explains.

The enterprise tech company revealed that four of the six flaws, namely CVE-2016-2004, CVE-2016-2005, CVE-2016-2006, and CVE-2016-2007, have a Common Vulnerability Scoring System (CVSS) 2.0 Base Score of 10.

The first, CVE-2016-2004, was reported by Jon Barg of GAI NetConsult GmbH and allows an unauthenticated remote attacker to execute code on the server hosting Data Protector. The bug resides in the fact that Data Protector does not authenticate users, even with Encrypted Control Communications enabled.

HP Data Protector also contains an embedded SSL private key that appears to be shared among all installations of Data Protector. As the vulnerability note reveals, adversaries exploiting the vulnerability in Data Protector could perform man-in-the-middle attacks against the server.

The other three flaws were discovered by the Trend Micro’s Zero Day Initiative researcher IntR0Py (ZDI-CAN-3352, ZDI-CAN-3353, and ZDI-CAN-3354) and Hewlett Packard Enterprise (HPE) revealed that successful exploitation of these issues could result in remote code execution. However, the company wouldn’t offer specific details on the vectors that remote attackers could leverage to execute arbitrary code.

The fifth vulnerability resolved in HP Data Protector is CVE-2015-2808, an issue that was revealed last year to result in unauthorized disclosure of information. The issue resides in the RC4 algorithm used in the TLS protocol and SSL protocol not properly combining state data with key data during the initialization phase.

The sixth vulnerability patched in Data Protector is CVE-2016-2008. With a CVSS 2.0 Base Score of 7.5, the flaw could allow remote attackers to execute arbitrary code via unspecified vectors.

HPE customers affected by these bugs are advised to install the newly released patches as soon as possible. To retrieve the updated HP Data Protector Software (versions 7.03_108, 8.15, or 9.06), customers should head over to the company’s support website.

Related: Hackers Can Abuse HP Enterprise Printers for Storage

Related: Command Injection Flaw Found in HP SiteScope

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.