HP Data Protector has multiple remote code execution vulnerabilities
Reporter | Title | Published | Views | Family All 86 |
---|---|---|---|---|
![]() | [security bulletin] HPSBMU02883 SSRT101227 rev.1 - HP Data Protector, Remote Increase of Privilege, Denial of Service (DoS), Execution of Arbitrary Code | 5 Jun 201300:00 | – | securityvulns |
![]() | HP Data Protector multiple security vulnerabilities | 5 Jun 201300:00 | – | securityvulns |
![]() | CVE-2013-2332 | 6 Jun 201313:02 | – | nvd |
![]() | CVE-2013-2328 | 6 Jun 201313:02 | – | nvd |
![]() | CVE-2013-2330 | 6 Jun 201313:02 | – | nvd |
![]() | CVE-2013-2329 | 6 Jun 201313:02 | – | nvd |
![]() | CVE-2013-2331 | 6 Jun 201313:02 | – | nvd |
![]() | CVE-2013-2333 | 6 Jun 201313:02 | – | nvd |
![]() | CVE-2013-2325 | 6 Jun 201313:02 | – | nvd |
![]() | CVE-2013-2334 | 6 Jun 201313:02 | – | nvd |
Source | Link |
---|---|
zerodayinitiative | www.zerodayinitiative.com/advisories/ZDI-13-128/ |
zerodayinitiative | www.zerodayinitiative.com/advisories/ZDI-13-161/ |
zerodayinitiative | www.zerodayinitiative.com/advisories/ZDI-13-126/ |
cve | www.cve.mitre.org/cgi-bin/cvename.cgi |
cve | www.cve.mitre.org/cgi-bin/cvename.cgi |
zerodayinitiative | www.zerodayinitiative.com/advisories/ZDI-13-127/ |
cve | www.cve.mitre.org/cgi-bin/cvename.cgi |
nessus | www.nessus.org/u |
cve | www.cve.mitre.org/cgi-bin/cvename.cgi |
cve | www.cve.mitre.org/cgi-bin/cvename.cgi |
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(66849);
script_version("1.19");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id(
"CVE-2013-2324",
"CVE-2013-2325",
"CVE-2013-2326",
"CVE-2013-2327",
"CVE-2013-2328",
"CVE-2013-2329",
"CVE-2013-2330",
"CVE-2013-2331",
"CVE-2013-2332",
"CVE-2013-2333",
"CVE-2013-2334",
"CVE-2013-2335"
);
script_bugtraq_id(
60299,
60300,
60301,
60302,
60303,
60304,
60306,
60307,
60308,
60309,
60310,
60311
);
script_xref(name:"HP", value:"HPSBMU02883");
script_xref(name:"HP", value:"SSRT101227");
script_xref(name:"HP", value:"emr_na-c03781657");
script_xref(name:"EDB-ID", value:"28973");
script_name(english:"HP Data Protector Multiple RCE Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The remote backup service is affected by multiple remote code
execution vulnerabilities.");
script_set_attribute(attribute:"description", value:
"According to its version and build number, the remote instance of HP
Data Protector is affected by multiple stack-based buffer overflow
conditions in crs.exe when parsing various opcodes. A remote,
unauthenticated attacker can exploit these to execute arbitrary code
in the context of the SYSTEM user or have other unspecified impact.");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-121/");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-122/");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-123/");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-124/");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-125/");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-126/");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-127/");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-128/");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-129/");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-130/");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-131/");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-161/");
# https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03781657
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b4edd7f1");
script_set_attribute(attribute:"solution", value:
"Apply the relevant patches referenced in the HP advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'HP Data Protector Cell Request Service Buffer Overflow');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_exploithub", value:"true");
script_set_attribute(attribute:"exploithub_sku", value:"EH-13-114");
script_set_attribute(attribute:"vuln_publication_date", value:"2013/06/03");
script_set_attribute(attribute:"patch_publication_date", value:"2013/06/03");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/06/10");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:data_protector");
script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:storage_data_protector");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2013-2022 Tenable Network Security, Inc.");
script_dependencies("os_fingerprint.nasl", "ssh_get_info.nasl", "hp_data_protector_module_versions.nbin");
script_require_keys("Services/data_protector/cell_server/Version");
script_require_ports("Services/hp_openview_dataprotector", 5555);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
port = get_service(svc:'hp_openview_dataprotector', default:5555, exit_on_fail:TRUE);
version = get_kb_item_or_exit("Services/data_protector/cell_server/Version");
build = get_kb_item("Services/data_protector/cell_server/Build");
internal_build = get_kb_item("Services/data_protector/build");
if(isnull(internal_build)) internal_build = 0;
# unpatched module, major release (referred to as 'MR' by the vendor)
if(isnull(build)) build = 'MR';
# We need OS-specific info in order to reliably determine whether or
# not those systems are vulnerable
hpux_ver = get_kb_item("Host/HP-UX/version");
solaris_ver = get_kb_item("Host/Solaris/Version");
rh_release = get_kb_item("Host/RedHat/release");
sles_release = get_kb_item("Host/SuSE/release");
winver = get_kb_item("SMB/WindowsVersion");
winver1 = get_kb_item("Host/OS/smb");
if(isnull(winver) && !isnull(winver1))
{
item = eregmatch(pattern:" ([0-9.]+)$", string:winver1);
if(!isnull(item) && !isnull(item[1]))
winver = item[1];
}
if (
(isnull(hpux_ver) || hpux_ver == '') &&
(isnull(solaris_ver) || solaris_ver == '') &&
(isnull(rh_release) || rh_release == '') &&
(isnull(sles_release) || sles_release == '') &&
(isnull(winver) || winver == '')
) exit(1, "Unable to determine the operating system version running the HP Data Protector service listening on port "+port+".");
vulnerable = FALSE;
# Ignore anything that looks like DP for Unix since it's not mentioned in the
# advisory
if ('SSPUX' >< build)
vulnerable = FALSE;
else if ((version == "A.06.20" || version == "A.06.21") && internal_build < 408)
{
# unpatched version == build number (only HP-UX, Solaris, Windows,
# and RHEL affected)
if (
(
(hpux_ver && (hpux_ver == "11.11" || hpux_ver == "11.23" || hpux_ver =="11.31")) ||
(solaris_ver && (solaris_ver == "5.8" || solaris_ver == "5.9" || solaris_ver == "5.10")) ||
(rh_release && ('release 4' >< rh_release || 'release 5' >< rh_release)) ||
(winver && (winver == '5.2' || winver == '6.0'))
) && build == 'MR'
)
{
vulnerable = TRUE;
}
# HP-UX security patch (fixed in PHSS_43422)
else if (
hpux_ver &&
(hpux_ver == "11.11" || hpux_ver == "11.23" || hpux_ver == "11.31") &&
match = eregmatch(pattern:"PHSS_[0]*([1-9][0-9]*)", string:build)
)
{
build_num = int(match[1]);
if (build_num < 43422)
vulnerable = TRUE;
}
# linux security patch (fixed in DPLNX_00243)
else if (
(
(rh_release && ('release 4' >< rh_release || 'release 5' >< rh_release)) ||
(sles_release && ('SLES9' >< sles_release || 'SLES10' >< sles_release || 'SLES11' >< sles_release))
) &&
match = eregmatch(pattern:"DPLNX_[0]*([1-9][0-9]*)", string:build)
)
{
build_num = int(match[1]);
if (build_num < 243)
vulnerable = TRUE;
}
# solaris security patch (fixed in DPSOL_00510)
else if (
solaris_ver &&
(solaris_ver == "5.8" || solaris_ver == "5.9" || solaris_ver == "5.10") &&
match = eregmatch(pattern:"DPSOL_[0]*([1-9][0-9]*)", string:build))
{
build_num = int(match[1]);
if (build_num < 510)
vulnerable = TRUE;
}
# windows security patch (fixed in DPWIN_00632)
else if (
winver &&
(winver == '5.2' || winver == '6.0') &&
match = eregmatch(pattern:"DPWIN_[0]*([1-9][0-9]*)", string:build)
)
{
build_num = int(match[1]);
if (build_num < 632)
vulnerable = TRUE;
}
}
else if ((version == "A.07.00" || version == "A.07.01") && internal_build < 103)
{
# unpatched version == build number (only HP-UX, SLES, Windows,
# and RHEL affected)
if (
(
(hpux_ver && (hpux_ver == "11.11" || hpux_ver == "11.23") || hpux_ver =="11.31") ||
(sles_release && ('SLES9' >< sles_release || 'SLES10' >< sles_release || 'SLES11' >< sles_release)) ||
(rh_release && ('release 4' >< rh_release || 'release 5' >< rh_release)) ||
(winver && (winver == '5.2' || winver == '6.0'))
) && build == 'MR'
)
{
vulnerable = TRUE;
}
# linux security patch (fixed in DPLNX_00235)
else if (
(
(rh_release && ('release 4' >< rh_release || 'release 5' >< rh_release)) ||
(sles_release && ('SLES9' >< sles_release || 'SLES10' >< sles_release || 'SLES11' >< sles_release))
) &&
match = eregmatch(pattern:"DPLNX_[0]*([1-9][0-9]*)", string:build)
)
{
build_num = int(match[1]);
if (build_num < 235)
vulnerable = TRUE;
}
# HP-UX security patch (fixed in PHSS_43315)
else if (
hpux_ver &&
(hpux_ver == "11.11" || hpux_ver == "11.23" || hpux_ver == "11.31") &&
match = eregmatch(pattern:"PHSS_[0]*([1-9][0-9]*)", string:build)
)
{
build_num = int(match[1]);
if (build_num < 43315)
vulnerable = TRUE;
}
# Windows security patch (fixed in DPWIN_00624)
else if (
winver &&
(winver == '5.2' || winver == '6.0') &&
match = eregmatch(pattern:"DPWIN_[0]*([1-9][0-9]*)", string:build)
)
{
build_num = int(match[1]);
if (build_num < 624)
vulnerable = TRUE;
}
}
if (vulnerable)
{
if (report_verbosity > 0)
{
report = '\n Cell server version : '+version+
'\n Cell server build : '+build+
'\n';
security_hole(port:port, extra:report);
}
else security_hole(port);
}
else
{
audit(AUDIT_LISTEN_NOT_VULN, "HP Data Protector Cell Server", port, version + "(build " + build + ")");
}
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo