HP Data Protector Hard-coded Cryptographic Key (HPSBGN03580)

High Nessus Plugin ID 90941


An application running on the remote host utilizes an embedded SSL private key.


The HP Data Protector application running on the remote host contains an embedded SSL private key that is shared across all installations.
An attacker can exploit this to perform man-in-the-middle attacks against the host or have other potential impacts.


Apply the appropriate patch according to the vendor's advisory.

See Also



Plugin Details

Severity: High

ID: 90941

File Name: hp_data_protector_hardcoded_private_key.nasl

Version: $Revision: 1.4 $

Type: remote

Family: Misc.

Published: 2016/05/06

Modified: 2017/06/15

Dependencies: 19601

Risk Information

Risk Factor: High


Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:ND


Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:hp:data_protector

Required KB Items: Settings/ParanoidReport

Excluded KB Items: global_settings/disable_test_ssl_based_services

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/04/18

Vulnerability Publication Date: 2016/04/22

Exploitable With

Metasploit (HP Data Protector Encrypted Communication Remote Command Execution)

Reference Information

CVE: CVE-2016-2004

OSVDB: 137516

HP: emr_na-c05085988, HPSBGN03580, SSRT102163, PSRT102293

CERT: 267328