Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
HP Data Protector Express Bugs Let Remote Users Deny Service and Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1026796 |
|
SecurityTracker URL: http://securitytracker.com/id/1026796
|
|
CVE Reference:
CVE-2012-0121, CVE-2012-0122, CVE-2012-0123, CVE-2012-0124
(Links to External Site)
|
Date: Mar 13 2012
|
Impact:
Denial of service via network, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 5.0.00 prior to build 59287, 6.0.00 prior to build 11974
|
Description:
Several vulnerabilities were reported in HP Data Protector Express. A remote user can execute arbitrary code on the target system. A remote user can cause denial of service conditions.
A remote user can send specially crafted data to execute arbitrary code or cause denial of service conditions on the target system.
e6af8de8b1d4b2b6d5ba2610cbf9cd38 (via TippingPoint), Aaron Portnoy of TippingPoint, Juan Vazquez, and BeyondSecurity.com reported these vulnerabilities.
|
Impact:
A remote user can execute arbitrary code on the target system.
A remote user can cause denial of service conditions.
|
Solution:
The vendor has issued a fix (5.0.01 build 70262, 6.0.01 build 13958).
The vendor's advisory is available at:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03229235
|
Vendor URL: h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03229235 (Links to External Site)
|
Cause:
Not specified
|
Underlying OS:
Linux (Red Hat Enterprise), Linux (SuSE), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 12 Mar 2012 22:47:27 -0400 (EDT)
Subject: [security bulletin] HPSBMU02746 SSRT100781 rev.1 - HP Data Protector Express, Remote Denial of Service (DoS), Execution of Arbitrary Code
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03229235
Version: 1
HPSBMU02746 SSRT100781 rev.1 - HP Data Protector Express, Remote Denial of Service (DoS), Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2012-03-12
Last Updated: 2012-03-12
------------------------------------------------------------------------------
Potential Security Impact: Remote Denial of Service (DoS), execution of arbitrary code
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Data Protector Express (DPX) 5.0 and 6.0. The vulnerabilities could be exploited remotely to create a Denial of Service (DoS) or to execute arbitrary code.
References: CVE-2012-0121, ZDI-CAN-1392; CVE-2012-01222, ZDI-CAN-1393; CVE-2012-0123, ZDI-CAN-1498; and CVE-2012-0124
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Data Protector Express (DPX) 5.0.00 prior to build 59287
HP Data Protector Express (DPX) 6.0.00 prior to build 11974
Note: DPX users can identify the build number by clicking on 'Help' and then 'About'.
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2012-0121 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-0122 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-0123 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-0124 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
The Hewlett-Packard Company thanks e6af8de8b1d4b2b6d5ba2610cbf9cd38 working with TippingPoint for reporting CVE-2012-0123 to security-alert@hp.com
The Hewlett-Packard Company thanks Aaron Portnoy of TippingPoint for reporting CVE-2012-0121 and CVE-2012-0122 to security-alert@hp.com
The Hewlett-Packard Company thanks Juan Vazquez along with BeyondSecurity.com for reporting CVE-2012-0124 to security-alert@hp.com
RESOLUTION
HP has provided upgrades to resolve these vulnerabilities. For Installations Running Data Protector Express 6.0
Microsoft Windows, Linux (see Compatibility Matrix link below)
Install HP Data Protector Express 6.0.01 build 13958 or later, available here:
http://h20000.www2.hp.com/bizsupport/TechSupport/ProductList.jsp?prodSeriesId=1144272
For Installations Running Data Protector Express 5.0
Microsoft Windows, Linux (see Compatibility Matrix link below)
Install HP Data Protector Express 5.0.01 build 70262 or later, available here:
http://h20000.www2.hp.com/bizsupport/TechSupport/ProductList.jsp?prodSeriesId=1144272
The HP Data Protector Express Compatibility Matrix provides information about the operating systems, applications, and backup devices tested by HP to be compatible with Data Protector Express and Data Protector Express Basic. See http://h18006.www1.hp.com/products/storage/software/datapexp/pdf/DPXMatrix_1109.pdf
Note: For questions about upgrading Data Protector Express, contact HP Services and Support.
HISTORY
Version:1 (rev.1) 12 March 2012 Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk9etOEACgkQ4B86/C0qfVlpSwCfdUeJOCp+RNZiU6ayWyBG3qST
hRwAoKRu/WeO2sMekCxqdaI7IuW9717H
=+Y3r
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
