SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   SSH Vendors:   HPE
HP Tru64 SSH Kit Flaw May Grant Access to Remote Users
SecurityTracker Alert ID:  1008707
SecurityTracker URL:  http://securitytracker.com/id/1008707
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jan 15 2004
Original Entry Date:  Jan 13 2004
Impact:   Denial of service via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Prior to HP Tru64 SSH Kit 3.2.2
Description:   A vulnerability was reported in HP Tru64 UNIX systems running SSH and IPSec. A remote user may be able to gain access to the system or cause denial of service conditions.

HP reported that there are unspecified vulnerabilities in the software. No details were provided.

Impact:   A remote user may be able to gain access to the system. A remote user may be able to cause denial of service conditions.
Solution:   The vendor has released Early Release Patches.

HP Tru64 UNIX V5.1B PK4:

Early Release Patches

HP Tru64 UNIX 5.1B:

For IPsec software:
Note: The same ERP kit applies to both 5.1B PK2 and 5.1B PK3
PREREQUISITE: HP Tru64 UNIX 5.1B with PK2 or PK3 installed
ERP Kit Name: T64KIT0020963-V51BB24-ES-20031204
Kit Location:
http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=
T64KIT0020963-V51BB24-ES-20031204

For SSH software:
Note: The same ERP kit applies to both 5.1B PK2 and 5.1B PK3
PREREQUISITE: HP Tru64 UNIX 5.1B with PK2 or PK3 installed
ERP Kit Name: T64KIT0020964-V51BB24-ES-20031204
Kit Location:
http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=
T64KIT0020964-V51BB24-ES-20031204


HP Tru64 UNIX 5.1A

HP says that customers running versions of software earlier than IPsec 2.1.1 and SSH 3.2.2 should upgrade.

Updated 5.1A SSH and IPsec kits are available at:

IPsec: http://h30097.www3.hp.com/unix/ipsec

SSH: http://h30097.www3.hp.com/unix/ssh

Vendor URL:  www.hp.com/ (Links to External Site)
Cause:   Not specified
Underlying OS:  UNIX (Tru64)
Underlying OS Comments:  5.1A, 5.1B

Message History:   None.


 Source Message Contents

Subject:  Security Bulletin SSRT3629A/B - Tru64 UNIX potentialDenial of Service and/or unauthorized access


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SECURITY BULLETIN

REVISION: 0

SSRT3629A/B - Tru64 UNIX potential Denial of Service and/or unauthorized
access

- -----------------------------------------------------------------
NOTICE: There are no restrictions for distribution of this Bulletin
provided that it remains complete and intact.

RELEASE DATE: 7 January 2004

SEVERITY:  1

SOURCE:  HEWLETT-PACKARD COMPANY
Software Security Response Team

REFERENCE:  None

PROBLEM SUMMARY
Potential security vulnerabilities have been identified in HP Tru64 UNIX
running IPsec and SSH software that may result in a local or remote
exploit of a Denial of Service (DoS) and/or local or remote unauthorized
access.

VERSIONS IMPACTED
The currently supported versions of HP Tru64 UNIX V5.1B PK2 (BL22) and
PK3 (BL24) and V5.1A running IPsec and SSH software kits earlier than:
IPsec 2.1.1 and SSH 3.2.2

RESOLUTION
HP is releasing the following Early Release Patch (ERP) kits for HP
Tru64 UNIX V5.1B,  and Web kits for HP Tru64 UNIX V5.1A.

The V5.1B ERP kits use dupatch to install and will not install over any
installed Customer Specific Patches (CSPs) that have file intersections
with the ERPs.  Contact your service provider for assistance if the
installation of the ERPs is blocked by any of your installed CSPs.

The resolutions contained in the V5.1B ERP kits are scheduled to be
available in the following mainstream patch kit:

HP Tru64 UNIX V5.1B  PK4

Early Release Patches

    HP Tru64 UNIX 5.1B:

    For IPsec software:
    Note:   The same ERP kit applies to both 5.1B PK2 and 5.1B PK3
    PREREQUISITE:     HP Tru64 UNIX 5.1B with PK2 or PK3 installed
    ERP Kit Name:     T64KIT0020963-V51BB24-ES-20031204
    Kit Location:
    http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=
    T64KIT0020963-V51BB24-ES-20031204

    For SSH software:
    Note:   The same ERP kit applies to both 5.1B PK2 and 5.1B PK3
    PREREQUISITE:    HP Tru64 UNIX 5.1B with PK2 or PK3 installed
    ERP Kit Name:     T64KIT0020964-V51BB24-ES-20031204
    Kit Location:
    http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=
    T64KIT0020964-V51BB24-ES-20031204


    HP Tru64 UNIX 5.1A

Customers running versions of software earlier than IPsec 2.1.1 and SSH
3.2.2 should upgrade.

Updated 5.1A SSH and IPsec kits are available at the following
locations:

IPsec: http://h30097.www3.hp.com/unix/ipsec

SSH: http://h30097.www3.hp.com/unix/ssh


MD5  checksums are available from the ITRC patch database main page
http://www.itrc.hp.com/service/patch/mainPage.do. From the patch
database main page, click tru64 UNIX, then click verifying MD5 checksums
under useful links.


SUPPORT: For further information, contact HP Services.

SUBSCRIBE: To subscribe to automatically receive future Security
Advisories from the Software Security Response Team via electronic
mail: http://www.support.compaq.com/patches/mail-list.shtml

REPORT: To report a potential security vulnerability with any HP
supported product, send email to: security-alert@hp.com

As always, HP urges you to periodically review your system management
and security procedures. HP will continue to review and enhance the
security features of its products and work with our customers to
maintain and improve the security and integrity of their systems.

"HP is broadly distributing this Security Bulletin in order to bring to
the attention of users of the affected HP products the important
security information contained in this Bulletin. HP recommends that all
users determine the applicability of this information to their
individual situations and take appropriate action. HP does not warrant
that this information is necessarily accurate or complete for all user
situations and, consequently, HP will not be responsible for any damages
resulting from user's use or disregard of the information provided in
this Bulletin."


(c)Copyright 2004 Hewlett-Packard Company
Hewlett-Packard Company shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is
provided "as is" without warranty of any kind. To the extent permitted
by law, neither HP or its affiliates, subcontractors or suppliers will
be liable for incidental, special or consequential damages including
downtime cost; lost profits; damages relating to the procurement of
substitute products or services; or damages for loss of data, or
software restoration. The information in this document is subject to
change without notice. Hewlett-Packard Company and the names of
Hewlett-Packard products referenced herein are trademarks of
Hewlett-Packard Company in the United States and other countries. Other
product and company names mentioned herein may be trademarks of their
respective owners.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBP/xzh+AfOvwtKn1ZEQL8IgCg5HWncROdN/CxfXUN9QfW5PFVXGwAoIJ7
7OXN4LsUmiBQ/jnQ2lz/EcKu
=WzGd
-----END PGP SIGNATURE-----

---
You are currently subscribed to security as: **********
To unsubscribe send a blank email to *********************@list.support.compaq.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC