1. Advisory Information Title: Multiple vulnerabilities in HP Data Protector Advisory ID: CORE-2011-0514 Advisory URL: http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities Date published: 2011-06-29 Date of last update: 2011-06-29 Vendors contacted: HP Release mode: Coordinated release 2. Vulnerability Information Class: Remote stack overflow [CWE-120], Null pointer dereference [CWE-476], Improper input validation [CWE-20] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2011-1865, CVE-2011-1514, CVE-2011-1515 3. Vulnerability Description HP Data Protector [1] is an automated backup and recovery software for single-server to enterprise environments. Multiple vulnerabilities have been found in HP Data Protector that could allow a remote attacker to execute arbitrary code and lead to denial of service conditions. The vulnerabilities are triggered by sending a request to port 5555 of a host running the "data protector inet" service, part of HP Data Protector. The request has several parameters, including an opcode. By sending requests with specially crafted parameters, the different bugs can be triggered. 4. Vulnerable packages HP OpenView Storage Data Protector v6.20 (running on Windows). HP OpenView Storage Data Protector v6.11 (running on Windows). HP OpenView Storage Data Protector v6.10 (running on Windows). HP OpenView Storage Data Protector v6.00 (running on Windows). Previous versions may be affected, but were not tested. 5. Non-vulnerable packages No fixes are available at the time of publication. 6. Vendor Information, Solutions and Workarounds HP has issued a security bulletin with document ID c02872182 available through HP Support Center at http://www.hp.com/go/HPSC. The latest version of HP Data Protector is vulnerable to these issues. HP has provided the following procedure to mitigate these vulnerabilities: Upgrade to Data Protector A.06.20 or subsequent. Enable encrypted control communication services on cell server and all clients in cell. The upgrade is available for download from http://hp.com/go/dataprotector then under 'Product Information' click on 'Trials and Demos'. 7. Credits This vulnerability was discovered by Oren Isacson from Core Security Technologies. Publication was coordinated by Carlos Sarraute.