In association with heise online

15 August 2006, 11:17

HP OpenView Storage Data Protector allows code execution

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A combination of vulnerabilities in HP's OpenView Storage Data Protector enables attackers to execute arbitrary program code on affected computers, even if they are not registered. HP has since released updates to close the hole, which was reported by the UK National Infrastructure Security Co-Ordination Centre (NISCC).

HP's OpenView Storage Data Protector is backup and recovery software that uses agents to control the client's computers. To do so, the central service on the server (cell manager) communicates with the agents using a proprietary protocol. By manipulating the data fields in the packets, attackers could send commands to the agent, even without prior registration.

The vulnerability affects HP OpenView Storage Data Protector 5.1 and 5.5 running on HP-UX, IBM AIX, Linux, Windows and Solaris. HP's security advisory offers links to the updates.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit