HP Data Protector missing authentication

2016-05-31T00:00:00
ID SAINT:8D403D319E92FF73D161228DA926879A
Type saint
Reporter SAINT Corporation
Modified 2016-05-31T00:00:00

Description

Added: 05/31/2016
CVE: CVE-2016-2004

Background

HP OpenView Storage Data Protector is a backup solution for enterprise and distributed environments.

Problem

Data Protector does not authenticate users, even with Encrypted Control Communications enabled. This could allow an unauthenticated remote attacker to execute code on the server.

Resolution

Upgrade to HP Data Protector 7.03_108, 8.15, or 9.06 or higher.

References

<http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05085988>
<http://www.kb.cert.org/vuls/id/267328>

Limitations

Exploit works on HP Data Protector A.09.00 (Internal Build version 88) and A.07.