Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.0123.2 Multiple remote code execution vulnerabilities in HP Data Protector 8 February 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Data Protector Publisher: Zero Day Initiative Operating System: HP-UX AIX Solaris Windows Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: None Original Bulletin: http://www.zerodayinitiative.com/advisories/ZDI-11-054/ http://www.zerodayinitiative.com/advisories/ZDI-11-055/ http://www.zerodayinitiative.com/advisories/ZDI-11-056/ http://www.zerodayinitiative.com/advisories/ZDI-11-057/ Comment: This bulletin contains four (4) Zero Day Initiative security advisories. Revision History: February 8 2011: Corrected Original Bulletin URL February 8 2011: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Hewlett-Packard Data Protector Client EXEC_CMD omni_chk_ds.sh Remote Code Execution Vulnerability ZDI-11-054: February 7th, 2011 CVSS Score 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) Affected Vendors Hewlett-Packard Affected Products Data Protector TippingPoint(TM) IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 6798. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows an attacker to execute remote code on vulnerable installations of the Hewlett-Packard Data Protector client. User interaction is not required to exploit this vulnerability. The specific flaw exists within the filtering of the EXEC_CMD command. The Data Protector client only verifies file names, not their contents. By supplying malicious code within specific script files, arbitrary code execution is possible under the context of the current user. Vendor Response Hewlett-Packard states: Disclosure Timeline 2009-01-26 - Vulnerability reported to vendor 2011-02-07 - Coordinated public release of advisory Credit This vulnerability was discovered by: Anonymous - ------------------------------------------------------------------------------- Hewlett-Packard Data Protector Client EXEC_CMD Perl Remote Code Execution Vulnerability ZDI-11-055: February 7th, 2011 CVSS Score 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) Affected Vendors Hewlett-Packard Affected Products Data Protector TippingPoint(TM) IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 8063. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows an attacker to execute remote code on vulnerable installations of the Hewlett-Packard Data Protector client. User interaction is not required to exploit this vulnerability. The specific flaw exists within the filtering of arguments to the EXEC_CMD command. The Data Protector client allows remote connections to execute files within it's local bin directory. By supplying maliciously crafted input to the EXEC_CMD a remote attacker can interact with a Perl interpreter and execute arbitrary code under the context of the current user. Vendor Response Hewlett-Packard states: Disclosure Timeline 2009-01-26 - Vulnerability reported to vendor 2011-02-07 - Coordinated public release of advisory Credit This vulnerability was discovered by: Anonymous - ------------------------------------------------------------------------------- Hewlett-Packard Data Protector Client EXEC_SETUP Remote Code Execution Vulnerability ZDI-11-056: February 7th, 2011 CVSS Score 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) Affected Vendors Hewlett-Packard Affected Products Data Protector TippingPoint(TM) IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 8050. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows an attacker to execute remote code on vulnerable installations of the Hewlett-Packard Data Protector client. User interaction is not required to exploit this vulnerability. The specific flaw exists within the implementation of the EXEC_SETUP command. This command instructs a Data Protector client to download and execute a setup file. A malicious attacker can instruct the client to access a file off of a share thus executing arbitrary code under the context of the current user. Vendor Response Hewlett-Packard states: Disclosure Timeline 2009-01-26 - Vulnerability reported to vendor 2011-02-07 - Coordinated public release of advisory Credit This vulnerability was discovered by: Anonymous - ------------------------------------------------------------------------------- Hewlett-Packard Data Protector Cell Manager Service Authentication Bypass Vulnerability ZDI-11-057: February 7th, 2011 CVSS Score 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) Affected Vendors Hewlett-Packard Affected Products Data Protector TippingPoint(TM) IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 6799. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows an attacker to execute remote code on vulnerable installations of Hewlett-Packard Data Protector. User interaction is not required to exploit this vulnerability. The specific flaw exists within the Cell Manager Service which listens by default on a random TCP port. The crs.exe process fails to properly validate supplied username, domain, and hostname credentials. A remote attacker can leverage this flaw to execute code on all Data Protector clients. Vendor Response Hewlett-Packard states: Disclosure Timeline 2009-01-26 - Vulnerability reported to vendor 2011-02-07 - Coordinated public release of advisory Credit This vulnerability was discovered by: Anonymous - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFNUKaj/iFOrG6YcBERAihTAKC9cMXCmk/IozbDRXVDb8jNyHOpWgCfWOFy HL9VWWUrVAEmTdklPiik00Y= =9dMr -----END PGP SIGNATURE-----