|CVSS SCORE||7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P)|
|TREND MICRO CUSTOMER PROTECTION||Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 13680. For further product information on the TippingPoint IPS: http://www.tippingpoint.com|
The specific flaw exists within crs.exe which listens by default on a random TCP port. When parsing opcode 1091, the process is vulnerable to directory traversal leading to creation of an arbitrary file . A remote attacker can chain this with another vulnerability to execute remote code under the context of the user running Data Protector.
03/07/2014 - Disclosed to vendor
-- Vendor Mitigation:
You can enable the encrypted control communication from the command line as root be doing the following.
# omnicc -encryption -enable
You can read up on the capability on page 145 of the User Guide. That guide is a PDF file, and found in /opt/omni/doc/C
If you have further questions regarding enabling ECC on Data Protector, open a support call with the appropriate product specialists.
Given the stated purpose of Data Protector, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the HP Data Protector service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles.