Re: Vulnerability HP DataProtector A.06.20 Agents. (1369 Views)
Reply
Occasional Visitor
CaBeTuX
Posts: 1
Registered: ‎08-15-2012
Message 1 of 6 (3,210 Views)

Vulnerability HP DataProtector A.06.20 Agents.

HI,

 

I use metasploit community version: metasploit v4.5.0-dev [core:4.5 api:1.0] and exploit a servers with installed HP Dataprotector 06.20 agents.

 

In page of the exploit (http://www.metasploit.com/modules/exploit/linux/misc/hp_data_protector_cmd_exec) indicate "Exploit Targets": 0 - HP Data Protector 6.10/6.11 on Linux (default) but the version 06.20 is also vulnerable.

 

The version of HP DataProtector is

 

/opt/omni/bin/omnicc -version

HP Data Protector A.06.20: OMNICC, internal build 370, built on Fri 25 Feb 2011 08:43:42 PM ART

 

How to fix?

Trusted Contributor
jruffer
Posts: 184
Registered: ‎06-28-2011
Message 2 of 6 (3,202 Views)

Re: Vulnerability HP DataProtector A.06.20 Agents.

Hi,

 

I'd recommend Patch bundle 621 plus patches

DPLNX_00195 Core

DPLNX_00198 Disk Agent

DPLNX_00199 Media Agent

 

It may not fix the problem but would be a good idea anyway.

 

Regards

 

Jeremy

Honored Contributor
danielbraun
Posts: 735
Registered: ‎07-07-2010
Message 3 of 6 (3,173 Views)
Honored Contributor
Eemans Dany
Posts: 428
Registered: ‎08-12-2009
Message 4 of 6 (3,164 Views)

Re: Vulnerability HP DataProtector A.06.20 Agents.

Hi,

 

I had the same issue, but we had missed one importand setting.

That was enabling secure communications.

 

Security bullitin HP :

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143

 

RESOLUTION

HP has provided the following procedure to resolve these vulnerabilities.
1. Upgrade to Data Protector A.06.20 or subsequent
2. Enable encrypted control communication services

 

How to enable secure communications

 

Data Protector encrypted control communication helps preventing unauthorized access

to clients in Data Protector cell. Using the Data Protector GUI or the CLI, you can

remotely enable encrypted control communication for all clients in the Data Protector

cell.

To enable encrypted control communication from the CLI, run:

omnicc -encryption -enable

For details, see the omnicc man page or the HP Data Protector Command Line

Interface Reference.

IMPORTANT:

You can enable encrypted control communication only from the Cell Manager or any

client in the cell for which encrypted control communication is already enabled

 

How to enable encrypted control communication

To enable encrypted control communication, perform the following steps in the Data

Protector GUI:

NOTE:

You must first enable encrypted control communication on a Cell Manager then on the

clients in the cell.

1. In the Context List, click Clients.

2. In the Scoping Pane, expand Data Protector Cell and then Clients. All clients are

displayed.

3. Click the client that you want to modify.

4. In the Connection property page, select the Encrypted control communication

option.

5. In the Certificate Chain drop-down list, select the certificate.

6. In the Private Key drop-down list, select the private key.

7. In the Trusted Certificate drop-down list, select the trusted certificate.

8. Click Apply to save the changes.

To enable encrypted control communication for multiple clients, perform the following

steps in the Data Protector GUI:

1. In the Context List, click Clients.

2. In the Scoping Pane, expand Data Protector Cell and then Clients. All clients are

displayed.

3. Right-click the client from which you want to enable encrypted control

communication, and click Enable encrypted communication.

4. Select one or more clients for which you want to enable encrypted control

communication. Click Next.

5. In the Certificate Chain drop-down list, select the certificate.

6. In the Private Key drop-down list, select the private key.

7. In the Trusted Certificate drop-down list, select the trusted certificate.

8. Click Finish to save the changes.

 

We have implemented on Windows - Linux - Unix systems, running files services - SAP DB - Oracle DB - SQL DB without any issues.

 

Best pratics is test it befor implementing it.

 

Dany

Advisor
Jim_Lawson
Posts: 21
Registered: ‎02-27-2008
Message 5 of 6 (1,374 Views)

Re: Vulnerability HP DataProtector A.06.20 Agents.

In addition to enabling the encrypted communications, you should generate a new and unique set of keys.   The default keys are the same for every installation. They are copied straight from installation media and are not created during the install. 

 

It's only a matter of time before someone figures that out and updates the exploit script.

Trusted Contributor
Ken Krubsack
Posts: 351
Registered: ‎10-20-2009
Message 6 of 6 (1,369 Views)

Re: Vulnerability HP DataProtector A.06.20 Agents.

[ Edited ]

Jim,

 

The only problem with that idea (don't get me wrong, it's common sense and a good one) is that I seem to recall somewhere along the line in my two-year upgrade struggle with 6.2 and ECC (boy, 7.03 went a lot better!) I asked about using keys OTHER than the default and was told they either weren't supported or flat wouldn't work.

 

HP SUPPORT STAFF: Please confirm that recollection of mine or feel free to blow it out of the water.  Whichever is accurate.

 

Ken

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.