HP has released security updates for various HP Data Protector iterations, in an attempt to patch a series of critical vulnerabilities that could result in remote code execution or disclosure of information.
The company’s new patches are meant to resolve six flaws in HP Data Protector, affecting all software versions prior to 7.03_108, 8.15, and 9.06. These vulnerabilities impact the Windows, HP-UX, and Linux releases of HP Data Protector, the company’s security bulletin explains.
The enterprise tech company revealed that four of the six flaws, namely CVE-2016-2004, CVE-2016-2005, CVE-2016-2006, and CVE-2016-2007, have a Common Vulnerability Scoring System (CVSS) 2.0 Base Score of 10.
The first, CVE-2016-2004, was reported by Jon Barg of GAI NetConsult GmbH and allows an unauthenticated remote attacker to execute code on the server hosting Data Protector. The bug resides in the fact that Data Protector does not authenticate users, even with Encrypted Control Communications enabled.
HP Data Protector also contains an embedded SSL private key that appears to be shared among all installations of Data Protector. As the vulnerability note reveals, adversaries exploiting the vulnerability in Data Protector could perform man-in-the-middle attacks against the server.
The other three flaws were discovered by the Trend Micro’s Zero Day Initiative researcher IntR0Py (ZDI-CAN-3352, ZDI-CAN-3353, and ZDI-CAN-3354) and Hewlett Packard Enterprise (HPE) revealed that successful exploitation of these issues could result in remote code execution. However, the company wouldn’t offer specific details on the vectors that remote attackers could leverage to execute arbitrary code.
The fifth vulnerability resolved in HP Data Protector is CVE-2015-2808, an issue that was revealed last year to result in unauthorized disclosure of information. The issue resides in the RC4 algorithm used in the TLS protocol and SSL protocol not properly combining state data with key data during the initialization phase.
The sixth vulnerability patched in Data Protector is CVE-2016-2008. With a CVSS 2.0 Base Score of 7.5, the flaw could allow remote attackers to execute arbitrary code via unspecified vectors.
HPE customers affected by these bugs are advised to install the newly released patches as soon as possible. To retrieve the updated HP Data Protector Software (versions 7.03_108, 8.15, or 9.06), customers should head over to the company’s support website.