9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.159 Low
EPSS
Percentile
96.0%
The HP Data Protector application running on the remote host contains an embedded SSL private key that is shared across all installations.
An attacker can exploit this to perform man-in-the-middle attacks against the host or have other potential impacts.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(90941);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2016-2004");
script_xref(name:"HP", value:"emr_na-c05085988");
script_xref(name:"HP", value:"HPSBGN03580");
script_xref(name:"HP", value:"SSRT102163");
script_xref(name:"HP", value:"PSRT102293");
script_xref(name:"CERT", value:"267328");
script_name(english:"HP Data Protector Hard-coded Cryptographic Key (HPSBGN03580)");
script_set_attribute(attribute:"synopsis", value:
"An application running on the remote host utilizes an embedded SSL
private key.");
script_set_attribute(attribute:"description", value:
"The HP Data Protector application running on the remote host contains
an embedded SSL private key that is shared across all installations.
An attacker can exploit this to perform man-in-the-middle attacks
against the host or have other potential impacts.");
# http://h20565.www2.hpe.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c05085988
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b20bcde7");
script_set_attribute(attribute:"see_also", value:"https://www.kb.cert.org/vuls/id/267328/");
script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the vendor's advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'HP Data Protector Encrypted Communication Remote Command Execution');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/22");
script_set_attribute(attribute:"patch_publication_date", value:"2016/04/18");
script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/06");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:data_protector");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2016-2022 Tenable Network Security, Inc.");
script_dependencies("hp_data_protector_installed.nasl");
script_require_keys("Settings/ParanoidReport");
script_exclude_keys("global_settings/disable_test_ssl_based_services");
script_require_ports("Services/hp_openview_dataprotector", 5555);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("x509_func.inc");
include("dump.inc");
if (report_paranoia < 2) audit(AUDIT_PARANOID);
if (get_kb_item("global_settings/disable_test_ssl_based_services"))
exit(1, "Not testing SSL based services per user config.");
# Make sure hpdp is detected
port = get_service(svc:'hp_openview_dataprotector', exit_on_fail:TRUE);
soc = open_sock_tcp(port);
if (!soc)
audit(AUDIT_SOCK_FAIL, port);
function inet_recv(soc)
{
local_var data, len;
# Read 4-byte packet length
data = recv(socket:soc, length: 4, min:4);
if(strlen(data) != 4)
return NULL;
# Check packet length
len = getdword(blob: data, pos:0);
if(len > 1024 * 1024)
return NULL;
# Read the remaining packet data
data += recv(socket:soc, length: len, min: len);
if(strlen(data) != len + 4)
return NULL;
return data;
}
function getstr(blob, pos, bom)
{
local_var c, cp, cn, cs, s, len;
len = strlen(blob);
if (bom == '\xff\xfe' || bom == '\xfe\xff')
{
if(len % 2) return NULL;
cs = 2;
cn = '\x00\x00';
if(bom =='\xff\xfe')
cp = 0;
else
cp = 1;
}
else
{
cs = 1;
cp = 0;
cn = '\x00';
}
s = NULL;
while(pos + cs <= len)
{
c = substr(blob, pos, pos + cs - 1);
if (c == cn)
break;
s += c[cp];
pos += cs;
}
return s;
}
function utf16(be)
{
local_var i, in, out;
in = _FCT_ANON_ARGS[0];
if( isnull(in)) return NULL;
out = NULL;
for (i = 0; i < strlen(in); i++)
{
if(be)
out += '\x00' + in[i];
else
out += in[i] + '\x00';
}
# NULL-terminate the string
out += '\x00\x00';
return out;
}
function status()
{
local_var err, data, ret;
err = _FCT_ANON_ARGS[0];
data = _FCT_ANON_ARGS[1];
ret[0] = err;
ret[1] = data;
return ret;
}
function parse_proto_info()
{
local_var data, err, len, marker, ret;
local_var bom, cn, cs, field, i, sp, pos;
data = _FCT_ANON_ARGS[0];
len = strlen(data);
if(len < 6)
return status('Invalid response packet length');
pos = 4; # Skip 4-byte pkt length
bom = substr(data, pos, pos + 1);
if(bom == '\xff\xfe' || bom == '\xfe\xff')
{
cn = '\x00\x00';
cs = strlen(cn);
if(bom == '\xff\xfe')
sp = '\x20\x00';
else
sp = '\x00\x20';
pos += 2;
}
else
{
bom = NULL;
cn = '\x00';
cs = strlen(cn);
sp = '\x20';
}
i = 0;
repeat
{
field = getstr(blob: data, pos: pos, bom: bom);
if(! field)
return status('Failed to get a string at position ' + pos);
ret[i++] = field;
# Advance to next string
pos += (strlen(field) + 1) * cs;
# Get field seperator/marker
if (pos + cs <= len)
{
marker = substr(data, pos, pos + cs -1);
if( marker != sp && marker != cn)
return status('Invalid field separator at position ' + pos);
pos += cs;
}
else
return status('Failed to get a field separator at position ' + pos);
} until (marker == cn);
return status(NULL, ret);
}
req = '\xff\xfe' +
utf16('267') + # MSG_PROTOCOL
utf16(' 10') + # protocol type
utf16(' 100') + # protocol version
utf16(' 900') + # module version
utf16(' 88') + # module subversion
utf16(' NESSUS') + #
utf16(' 4') + # protocol flags
utf16('');
req = mkdword(strlen(req)) + req;
send(socket: soc, data: req);
res = inet_recv(soc:soc);
if (! res)
audit(AUDIT_RESP_NOT, port, 'an HP Data Protector request');
ret = parse_proto_info(res);
if(ret[0])
exit(1, 'Failed to parse response received from port ' + port +': ' + ret[0] + '.');
proto_flags = ret[1][6];
if(isnull(proto_flags))
exit(1, 'Failed to get protocol flags in response received from service listening on port '+ port + '.');
flags = uint(proto_flags);
if(!(flags & 0x4))
exit(1, 'The service listening on port '+ port + ' does not appear to have enabled encryption. Protocol flags: ' + proto_flags +'.');
# HP DP is known to support TLSv1.0
cert = get_server_cert(port: port, socket: soc, encaps:ENCAPS_TLSv1, encoding:"der");
close(soc);
if (isnull(cert))
{
exit(1, 'Failed to get server certificate for service listening on port ' + port +'.');
}
cert = parse_der_cert(cert:cert);
if (isnull(cert))
{
exit(1, 'Failed to parse server certificate for service listening on port ' + port +'.');
}
cert = cert['tbsCertificate'];
n = cert['subjectPublicKeyInfo'][1][0];
e = cert['subjectPublicKeyInfo'][1][1];
if(isnull(n) || isnull(e))
{
exit(1, 'Failed to extract RSA public key from certificate for service listening on port ' + port +'.');
}
fixed_n = raw_string(
0x00, 0xA9, 0xC7, 0xD1, 0xA3, 0xBA, 0x5A, 0x84,
0xB3, 0xCA, 0x1D, 0xBB, 0x63, 0xA2, 0x4F, 0x6E,
0x45, 0x88, 0xF6, 0x01, 0x20, 0xE3, 0xDD, 0x2C,
0xAA, 0x66, 0x87, 0x0A, 0x0A, 0x77, 0xC1, 0xB7,
0x00, 0x52, 0x24, 0xD0, 0x43, 0xD8, 0xAB, 0x27,
0x60, 0x14, 0xC5, 0x97, 0xEF, 0x8C, 0x5E, 0x31,
0x23, 0xB2, 0xA8, 0x46, 0x95, 0x6C, 0xA0, 0x06,
0x04, 0x12, 0x13, 0xE3, 0x53, 0x85, 0x4D, 0x46,
0xD1
);
fixed_d = raw_string(
0x00, 0x96, 0x26, 0x20, 0x51, 0xC3, 0x12, 0x20,
0x7F, 0xFC, 0x44, 0x95, 0x1F, 0xC5, 0x40, 0xA8,
0x0E, 0x18, 0xD5, 0x2F, 0x24, 0x4E, 0x40, 0xA1,
0x2A, 0xC5, 0xE7, 0xB1, 0x4A, 0x96, 0xA4, 0x9B,
0xD8, 0xDD, 0x08, 0x3A, 0xCB, 0x95, 0x7F, 0xC5,
0x7D, 0xAB, 0x9F, 0x9A, 0x82, 0x29, 0xF8, 0x55,
0x3E, 0x1E, 0xE6, 0x9D, 0xDD, 0x3B, 0x96, 0x92,
0xF3, 0xFE, 0x43, 0xD5, 0x1D, 0x15, 0xD9, 0x2B,
0xED
);
if(e == '\x01\x00\x01' && n == fixed_n)
{
report =
'Nessus detected the following RSA modulus : ' +
'\n' +
'\n' + hexdump(ddata:fixed_n) +
'\nwith its corresponding private exponent being : '+
'\n' + hexdump(ddata:fixed_d)+
'\nwhich appears to be shared among multiple HP Data Protector installations.';
security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
}
else
audit(AUDIT_HOST_NOT, 'affected');
Vendor | Product | Version | CPE |
---|---|---|---|
hp | data_protector | cpe:/a:hp:data_protector |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.159 Low
EPSS
Percentile
96.0%