HP Fills Holes in Data Protector

Tuesday, April 26, 2016 @ 03:04 PM gHale


Hewlett Packard released critical security updates for its HP Data Protector software.

The release mitigates issues that could allow remote code execution or unauthorized disclosure of information.

RELATED STORIES
Trojan Hits via PowerShell, Google Docs
Hack Attack Plan Thwarted
Aircraft Manufacturer Attacked
Security: Ease the Pain …

HP Data Protector software is automated backup and recovery software for single-server to enterprise environments, and can set up on Windows, Unix, and Linux operating systems.

There are six vulnerabilities in all, with CVE-2016-2004 through CVE-2016-2007 all considered critical.

No more details about them have been shared by HP in the advisory accompanying the update, but a vulnerability note released by CERT/CC regarding CVE-2016-2004 said Data Protector does not authenticate users, even with Encrypted Control Communications enabled, and that could allow an unauthenticated remote attacker to execute code on the server hosting the software.

Another problem is Data Protector contains an embedded SSL private key, and this same key appears to be among all installations of Data Protector.

This increases the possibility an attacker might be able to perform man-in-the-middle attacks against the server hosting the software, and he may recover encrypted data.

Software suffering from the issues are all versions prior to 7.03_108, 8.15, and 9.06. HP said administrations should update to those versions as soon as possible.