{"vuid":"VU#267328","idnumber":"267328","name":"HP Data Protector does not perform authentication and contains an embedded SSL private key","keywords":["hp","authentication","encryption","hard-coded","SSL","key"],"overview":"The HP Data Protector does not perform user authentication, even when Encrypted Control Communications is enabled, and contains an embedded SSL private key that is shared among all installations.","clean_desc":"CWE-306: Missing Authentication for Critical Function - CVE-2016-2004 Data Protector does not authenticate users, even with Encrypted Control Communications enabled. An unauthenticated remote attacker may be able to execute code on the server hosting Data Protector. CWE-321: Use of Hard-coded Cryptographic Key Data Protector contains an embedded SSL private key. This private key appears to be shared among all installations of Data Protector. Data Protector versions 7, 8, and 9 are affected; other versions may also be impacted.","impact":"An unauthenticated remote attacker may be able to execute code on the server, or perform man-in-the-middle attacks against the server.","resolution":"Apply an update HP has released updates to Data Protector version 7, 8, and 9 to address these issues. Affected users may consider the following workaround:","workarounds":"Restrict Network Access As a general good security practice, only allow connections from trusted hosts and networks. Consult your firewall product's manual for more information.","sysaffected":"","thanks":"Thanks to Ian Lovering for reporting this vulnerability.","author":"This document was written by Garret Wassermann.","public":["h","t","t","p","s",":","/","/","h","2","0","5","6","4",".","w","w","w","2",".","h","p","e",".","c","o","m","/","h","p","s","c","/","d","o","c","/","p","u","b","l","i","c","/","d","i","s","p","l","a","y","?","d","o","c","I","d","=","e","m","r","_","n","a","-","c","0","5","0","8","5","9","8","8"],"cveids":["CVE-2016-2004"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2015-11-05T17:11:18Z","publicdate":"2016-04-18T00:00:00Z","datefirstpublished":"2016-04-22T16:56:16Z","dateupdated":"2016-04-22T16:56:17Z","revision":38,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"U","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"9.3","cvss_basevector":"AV:N/AC:M/Au:N/C:C/I:C/A:C","cvss_temporalscore":"8.4","cvss_environmentalscore":"6.299215776","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}