Critical flaws in HP Data Protector open servers to remote attacks

Hewlett Packard has released critical security updates for its HP Data Protector software, which fix vulnerabilities that could allow remote code execution or unauthorized disclosure of information.

HP Data Protector software is automated backup and recovery software for single-server to enterprise environments, and can be set up on Windows, Unix, and Linux operating systems.

There are six vulnerabilities in all, with CVE-2016-2004 through CVE-2016-2007 all being considered critical.

No more details about them have been shared by HP in the advisory accompanying the update, but a vulnerability note released by CERT/CC regarding CVE-2016-2004 explains that Data Protector does not authenticate users, even with Encrypted Control Communications enabled, and that could allow an unauthenticated remote attacker to execute code on the server hosting the software.

Another problem is that Data Protector contains an embedded SSL private key, and that this same key appears to be shared among all installations of Data Protector.

This increases the possibility that an attacker might be able to perform man-in-the-middle attacks against the server hosting the software, and that he may recover encrypted data.

Judging by the credits for the discovery of this particular flaw, it was unearthed and disclosed by two different researchers around the same time.

Impacted versions of the software are all versions prior to 7.03_108, 8.15, and 9.06, and admins are advised to update to those versions as soon as possible.