CERT CMU Identifies Flaws in HP Data Protector Authentication and SSL Private Keys

The HP Data Protector does not perform user authentication, even when Encrypted Control Communications is enabled, and contains an embedded SSL private key that is shared among all installations.  Missing Authentication for Critical Function.  Data Protector does not authenticate users, even with Encrypted Control Communications enabled. An unauthenticated remote attacker may be able to execute code on the server hosting Data Protector. Use of Hard-coded Cryptographic Key Data Protector contains an embedded SSL private key. This private key appears to be shared among all installations of Data Protector. Data Protector versions 7, 8, and 9 are affected; other versions may also be impacted. Impact: An unauthenticated remote attacker may be able to execute code on the server, or perform man-in-the-middle attacks against the server. Solution: Apply an update HP has released updates to Data Protector version 7, 8, and 9 to address these issues. Affected users may consider the following workaround: Restrict Network Access: As a general good security practice, only allow connections from trusted hosts and networks.How large of a threat do these Data Protector flaws pose to CISOs in private sector and government organizations? Share your assessment with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/