Operating System:

[WIN][LINUX][HP-UX][Solaris][AIX]

Published:

08 February 2011

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2011.0123.2 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2011.0123.2
    Multiple remote code execution vulnerabilities in HP Data Protector
                              8 February 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Data Protector
Publisher:         Zero Day Initiative
Operating System:  HP-UX
                   AIX
                   Solaris
                   Windows
                   Linux variants
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        None

Original Bulletin: 
   http://www.zerodayinitiative.com/advisories/ZDI-11-054/
   http://www.zerodayinitiative.com/advisories/ZDI-11-055/
   http://www.zerodayinitiative.com/advisories/ZDI-11-056/
   http://www.zerodayinitiative.com/advisories/ZDI-11-057/

Comment: This bulletin contains four (4) Zero Day Initiative security 
         advisories.

Revision History:  February 8 2011: Corrected Original Bulletin URL
                   February 8 2011: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Hewlett-Packard Data Protector Client EXEC_CMD omni_chk_ds.sh Remote Code
Execution Vulnerability

   ZDI-11-054: February 7th, 2011

CVSS Score

   10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Affected Vendors

   Hewlett-Packard

Affected Products

   Data Protector

TippingPoint(TM) IPS Customer Protection

   TippingPoint IPS customers are protected against this vulnerability by
   Digital Vaccine protection filter ID 6798. For further product
   information on the TippingPoint IPS:
   http://www.tippingpoint.com

Vulnerability Details

   This vulnerability allows an attacker to execute remote code on
   vulnerable installations of the Hewlett-Packard Data Protector client.
   User interaction is not required to exploit this vulnerability.

   The specific flaw exists within the filtering of the EXEC_CMD command.
   The Data Protector client only verifies file names, not their
   contents. By supplying malicious code within specific script files,
   arbitrary code execution is possible under the context of the current
   user.

Vendor Response

   Hewlett-Packard states:

Disclosure Timeline

   2009-01-26 - Vulnerability reported to vendor
   2011-02-07 - Coordinated public release of advisory

Credit

   This vulnerability was discovered by:
   Anonymous

- -------------------------------------------------------------------------------

Hewlett-Packard Data Protector Client EXEC_CMD Perl Remote Code Execution
Vulnerability

   ZDI-11-055: February 7th, 2011

CVSS Score

   10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Affected Vendors

   Hewlett-Packard

Affected Products

   Data Protector

TippingPoint(TM) IPS Customer Protection

   TippingPoint IPS customers are protected against this vulnerability by
   Digital Vaccine protection filter ID 8063. For further product
   information on the TippingPoint IPS:
   http://www.tippingpoint.com

Vulnerability Details

   This vulnerability allows an attacker to execute remote code on
   vulnerable installations of the Hewlett-Packard Data Protector client.
   User interaction is not required to exploit this vulnerability.

   The specific flaw exists within the filtering of arguments to the
   EXEC_CMD command. The Data Protector client allows remote connections
   to execute files within it's local bin directory. By supplying
   maliciously crafted input to the EXEC_CMD a remote attacker can
   interact with a Perl interpreter and execute arbitrary code under the
   context of the current user.

Vendor Response

   Hewlett-Packard states:

Disclosure Timeline

   2009-01-26 - Vulnerability reported to vendor
   2011-02-07 - Coordinated public release of advisory

Credit

   This vulnerability was discovered by:
   Anonymous

- -------------------------------------------------------------------------------

Hewlett-Packard Data Protector Client EXEC_SETUP Remote Code Execution
Vulnerability

   ZDI-11-056: February 7th, 2011

CVSS Score

   10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Affected Vendors

   Hewlett-Packard

Affected Products

   Data Protector

TippingPoint(TM) IPS Customer Protection

   TippingPoint IPS customers are protected against this vulnerability by
   Digital Vaccine protection filter ID 8050. For further product
   information on the TippingPoint IPS:
   http://www.tippingpoint.com

Vulnerability Details

   This vulnerability allows an attacker to execute remote code on
   vulnerable installations of the Hewlett-Packard Data Protector client.
   User interaction is not required to exploit this vulnerability.

   The specific flaw exists within the implementation of the EXEC_SETUP
   command. This command instructs a Data Protector client to download
   and execute a setup file. A malicious attacker can instruct the client
   to access a file off of a share thus executing arbitrary code under
   the context of the current user.

Vendor Response

   Hewlett-Packard states:

Disclosure Timeline

   2009-01-26 - Vulnerability reported to vendor
   2011-02-07 - Coordinated public release of advisory

Credit

   This vulnerability was discovered by:
   Anonymous

- -------------------------------------------------------------------------------

Hewlett-Packard Data Protector Cell Manager Service Authentication Bypass
Vulnerability

   ZDI-11-057: February 7th, 2011

CVSS Score

   10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Affected Vendors

   Hewlett-Packard

Affected Products

   Data Protector

TippingPoint(TM) IPS Customer Protection

   TippingPoint IPS customers are protected against this vulnerability by
   Digital Vaccine protection filter ID 6799. For further product
   information on the TippingPoint IPS:
   http://www.tippingpoint.com

Vulnerability Details

   This vulnerability allows an attacker to execute remote code on
   vulnerable installations of Hewlett-Packard Data Protector. User
   interaction is not required to exploit this vulnerability.

   The specific flaw exists within the Cell Manager Service which listens
   by default on a random TCP port. The crs.exe process fails to properly
   validate supplied username, domain, and hostname credentials. A remote
   attacker can leverage this flaw to execute code on all Data Protector
   clients.

Vendor Response

   Hewlett-Packard states:

Disclosure Timeline

   2009-01-26 - Vulnerability reported to vendor
   2011-02-07 - Coordinated public release of advisory

Credit

   This vulnerability was discovered by:
   Anonymous

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFNUKaj/iFOrG6YcBERAihTAKC9cMXCmk/IozbDRXVDb8jNyHOpWgCfWOFy
HL9VWWUrVAEmTdklPiik00Y=
=9dMr
-----END PGP SIGNATURE-----