ID CVE-2016-2004
Summary HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2623.
References
Vulnerable Configurations
  • HP Data Protector 7.0
    cpe:2.3:a:hp:data_protector:7.0
  • HP Data Protector 7.03
    cpe:2.3:a:hp:data_protector:7.03
  • HP Data Protector 8.0
    cpe:2.3:a:hp:data_protector:8.0
  • HP Data Protector 8.14
    cpe:2.3:a:hp:data_protector:8.14
  • HP Data Protector 9.0
    cpe:2.3:a:hp:data_protector:9.0
  • HP Data Protector 9.05
    cpe:2.3:a:hp:data_protector:9.05
CVSS
Base: 9.3 (as of 23-06-2016 - 13:34)
Impact:
Exploitability:
CWE CWE-306
CAPEC
  • Choosing a Message/Channel Identifier on a Public/Multicast Channel
    Attackers aware that more data is being fed into a multicast or public information distribution means can 'select' information bound only for another client, even if the distribution means itself forces users to authenticate in order to connect initially. Doing so allows the attacker to gain access to possibly privileged information, possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could change its identifier from a less privileged to more so privileged channel or command.
  • Using Unpublished Web Service APIs
    An attacker searches for and invokes Web Services APIs that the target system designers did not intend to be publicly available. If these APIs fail to authenticate requests the attacker may be able to invoke services and/or gain privileges they are not authorized for.
  • Manipulating Writeable Terminal Devices
    This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.
  • Cross Site Request Forgery (aka Session Riding)
    An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (msf). CVE-2016-2004. Remote exploit for windows platform
    file exploits/windows/remote/39874.rb
    id EDB-ID:39874
    last seen 2016-06-01
    modified 2016-05-31
    platform windows
    port
    published 2016-05-31
    reporter Ian Lovering
    source https://www.exploit-db.com/download/39874/
    title Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution msf
    type remote
  • description HP Data Protector A.09.00 - Arbitrary Command Execution. CVE-2016-2004. Remote exploit for windows platform
    file exploits/windows/remote/39858.py
    id EDB-ID:39858
    last seen 2016-05-26
    modified 2016-05-26
    platform windows
    port
    published 2016-05-26
    reporter Ian Lovering
    source https://www.exploit-db.com/download/39858/
    title HP Data Protector A.09.00 - Arbitrary Command Execution
    type remote
metasploit via4
description This module exploits a well known remote code execution exploit after establishing encrypted control communications with a Data Protector agent. This allows exploitation of Data Protector agents that have been configured to only use encrypted control communications. This exploit works by executing the payload with Microsoft PowerShell so will only work against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows Server 2008 R2.
id MSF:EXPLOIT/WINDOWS/MISC/HP_DATAPROTECTOR_ENCRYPTED_COMMS
last seen 2019-03-18
modified 2017-07-24
published 2016-05-31
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/hp_dataprotector_encrypted_comms.rb
title HP Data Protector Encrypted Communication Remote Command Execution
nessus via4
  • NASL family Misc.
    NASL id HP_DATA_PROTECTOR_HARDCODED_PRIVATE_KEY.NASL
    description The HP Data Protector application running on the remote host contains an embedded SSL private key that is shared across all installations. An attacker can exploit this to perform man-in-the-middle attacks against the host or have other potential impacts.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 90941
    published 2016-05-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90941
    title HP Data Protector Hard-coded Cryptographic Key (HPSBGN03580)
  • NASL family Misc.
    NASL id HP_DATA_PROTECTOR_HPSBGN03580.NASL
    description The version of HP Data Protector installed on the remote host is 7.0x prior to 7.03 build 108, 8.1x prior to 8.15, or 9.0x prior to 9.06. It is, therefore, affected by the following vulnerabilities : - A security feature bypass vulnerability exists, known as Bar Mitzvah, due to improper combination of state data with key data by the RC4 cipher algorithm during the initialization phase. A man-in-the-middle attacker can exploit this, via a brute-force attack using LSB values, to decrypt the traffic. (CVE-2015-2808) - A flaw exists due to a failure to authenticate users, even with Encrypted Control Communications enabled. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-2004) - Multiple overflow conditions exist due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these issues, via specially crafted 'User Name' or 'Domain' field in an EXEC_BAR request, to cause a stack-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. (CVE-2016-2005, CVE-2016-2006) - An overflow condition exists due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via specially crafted EXEC_SCRIPT request, to cause a stack-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. (CVE-2016-2007) - An unspecified flaw exists that allows an unauthenticated, remote attacker to disclose sensitive information or execute arbitrary code. (CVE-2016-2008)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 90796
    published 2016-04-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90796
    title HP Data Protector 7.0x < 7.03 build 108 / 8.1x < 8.15 / 9.0x < 9.06 Multiple Vulnerabilities (HPSBGN03580) (Bar Mitzvah)
packetstorm via4
refmap via4
cert-vn VU#267328
confirm https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05085988
exploit-db
  • 39858
  • 39874
misc
sectrack 1035631
saint via4
description HP Data Protector missing authentication
id net_openview_hpdataprotssl
title hp_data_protector_auth
type remote
Last major update 02-12-2016 - 22:24
Published 21-04-2016 - 07:00
Last modified 12-07-2019 - 11:15
Back to Top