ID CVE-2016-2004
Summary HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2623.
References
Vulnerable Configurations
  • HP Data Protector 9.05
    cpe:2.3:a:hp:data_protector:9.05
  • HP Data Protector 8.14
    cpe:2.3:a:hp:data_protector:8.14
  • HP Data Protector 7.03
    cpe:2.3:a:hp:data_protector:7.03
CVSS
Base: 9.3 (as of 23-06-2016 - 13:34)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (msf). CVE-2016-2004. Remote exploit for windows platform
    file exploits/windows/remote/39874.rb
    id EDB-ID:39874
    last seen 2016-06-01
    modified 2016-05-31
    platform windows
    port
    published 2016-05-31
    reporter Ian Lovering
    source https://www.exploit-db.com/download/39874/
    title Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution msf
    type remote
  • description HP Data Protector A.09.00 - Arbitrary Command Execution. CVE-2016-2004. Remote exploit for windows platform
    file exploits/windows/remote/39858.py
    id EDB-ID:39858
    last seen 2016-05-26
    modified 2016-05-26
    platform windows
    port
    published 2016-05-26
    reporter Ian Lovering
    source https://www.exploit-db.com/download/39858/
    title HP Data Protector A.09.00 - Arbitrary Command Execution
    type remote
metasploit via4
description This module exploits a well known remote code execution exploit after establishing encrypted control communications with a Data Protector agent. This allows exploitation of Data Protector agents that have been configured to only use encrypted control communications. This exploit works by executing the payload with Microsoft PowerShell so will only work against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows Server 2008 R2.
id MSF:EXPLOIT/WINDOWS/MISC/HP_DATAPROTECTOR_ENCRYPTED_COMMS
last seen 2019-03-13
modified 2017-07-24
published 2016-05-31
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/hp_dataprotector_encrypted_comms.rb
title HP Data Protector Encrypted Communication Remote Command Execution
nessus via4
  • NASL family Misc.
    NASL id HP_DATA_PROTECTOR_HARDCODED_PRIVATE_KEY.NASL
    description The HP Data Protector application running on the remote host contains an embedded SSL private key that is shared across all installations. An attacker can exploit this to perform man-in-the-middle attacks against the host or have other potential impacts.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 90941
    published 2016-05-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90941
    title HP Data Protector Hard-coded Cryptographic Key (HPSBGN03580)
  • NASL family Misc.
    NASL id HP_DATA_PROTECTOR_HPSBGN03580.NASL
    description The version of HP Data Protector installed on the remote host is 7.0x prior to 7.03 build 108, 8.1x prior to 8.15, or 9.0x prior to 9.06. It is, therefore, affected by the following vulnerabilities : - A security feature bypass vulnerability exists, known as Bar Mitzvah, due to improper combination of state data with key data by the RC4 cipher algorithm during the initialization phase. A man-in-the-middle attacker can exploit this, via a brute-force attack using LSB values, to decrypt the traffic. (CVE-2015-2808) - A flaw exists due to a failure to authenticate users, even with Encrypted Control Communications enabled. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-2004) - Multiple overflow conditions exist due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these issues, via specially crafted 'User Name' or 'Domain' field in an EXEC_BAR request, to cause a stack-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. (CVE-2016-2005, CVE-2016-2006) - An overflow condition exists due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via specially crafted EXEC_SCRIPT request, to cause a stack-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. (CVE-2016-2007) - An unspecified flaw exists that allows an unauthenticated, remote attacker to disclose sensitive information or execute arbitrary code. (CVE-2016-2008)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 90796
    published 2016-04-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90796
    title HP Data Protector 7.0x < 7.03 build 108 / 8.1x < 8.15 / 9.0x < 9.06 Multiple Vulnerabilities (HPSBGN03580) (Bar Mitzvah)
packetstorm via4
refmap via4
cert-vn VU#267328
confirm https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05085988
misc
sectrack 1035631
saint via4
description HP Data Protector missing authentication
id net_openview_hpdataprotssl
title hp_data_protector_auth
type remote
Last major update 02-12-2016 - 22:24
Published 21-04-2016 - 07:00
Back to Top