cbcvebase.
CVE-2016-2004
published 2016-04-21

CVE-2016-2004: HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to…

PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
94.30%
99.8th percentile
HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2623.

Affected

3 ranges
VendorProductVersion rangeFixed in
hpdata_protector>= 7.0 < 7.03_1087.03_108
hpdata_protector>= 8.0 < 8.158.15
hpdata_protector>= 9.0 < 9.069.06

Detection & IOCsextracted from sources · hover to see the quote

port5555
hex00000034320001010101010100010001000100010100203238005c7065726c2e65786500202d6573797374656d282777686f616d69272900
bytes
00000034fffe3900000020006e007400200061007500740068006f0072006900740079005c00730079007300740065006d000a0000000000
  • Detect CVE-2016-2004 exploitation attempts by monitoring TCP port 5555 for the HP Data Protector encryption initialisation byte sequence starting with \x00\x00\x00\x48\xff\xfe followed by a TLS/SSL handshake upgrade on the same connection.
  • After the encryption init handshake, the exploit upgrades the socket to TLS (SSLv23/ALL ciphers, no cert verification) on the same TCP port 5555 connection; a plaintext init packet immediately followed by a TLS ClientHello on port 5555 is a strong indicator of exploitation.
  • The Metasploit module delivers a PowerShell-encoded payload via perl.exe -esystem(); monitor for perl.exe spawning PowerShell or cmd.exe as a child process on Data Protector agent hosts.
  • The Nuclei template matches a successful exploitation response by looking for the hex pattern '00000034fffe39...6e00740020006100750074...5c00730079007300740065006d000a' (NT AUTHORITY\SYSTEM in UTF-16LE) on port 5555.
  • ·CVE-2016-2004 is an incomplete fix for CVE-2014-2623; patching CVE-2014-2623 alone is insufficient — the specific version thresholds are 7.03_108, 8.15, and 9.06.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.