[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 584/03 - Two Hewlett-Packard Security Bulletins



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 584/03 dated 24.10.03  Time: 11:00
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Two Hewlett-Packard Security Bulletins:

1. Potential vulnerability in nonSSL HP management web agent.

2. Security Bulletin rev.1 - HP-UX AAA Server.

Detail
====== 

1. A potential security vulnerability has been identified in the
non-SSL web agent that is delivered as part of the HP web-enabled
Management Software, that may result in a unauthorized local
or remote user gaining unauthorized privileged access, or
creating a Denial of Service (DoS).

2. An SSL/TLS testing suite developed by the NISCC (National Infrastructure
Security Co-Ordination Centre in the UK) has identified ASN.1 parsing vulnerabilities
in OpenSSL.

The HP-UX AAA Server (T1428AA) is affected by latest OpenSSL vulnerabilities.   
          
             
            



1.      ESB-2003.0738 -- HEWLETT-PACKARD COMPANY SECURITY BULLETIN
    SSRT3632 Potential vulnerability in nonSSL HP management web agent
                              23 October 2003


Product:                Insight Management for Clients versions 3.5 - 5.0
                        Remote Diagnostics Enabling Agent
                        Insight Manager LC versions 1.00 - 1.60
Publisher:              Hewlett-Packard
Operating System:       Windows XP
                        Windows 2000
                        Windows 9x
Impact:                 Inappropriate Access
                        Denial of Service
Access Required:        Remote

- - --------------------------BEGIN INCLUDED TEXT--------------------

SECURITY BULLETIN
 
REVISION: 0
 
SSRT3632 Potential vulnerability in nonSSL HP management web agent


NOTICE: There are no restrictions for distribution of this
        Bulletin provided that it remains complete and intact.

RELEASE DATE:  21 October 2003

SEVERITY:  2

SOURCE:  HEWLETT-PACKARD COMPANY
Software Security Response Team

REFERENCE:  SSRT3499, SSRT3516, SSRT3521, SSRT3530

PROBLEM SUMMARY
A potential security vulnerability has been identified in the
non-SSL web agent that is delivered as part of the HP web-enabled
Management Software, that may result in a unauthorized local
or remote user gaining unauthorized privileged access, or
creating a Denial of Service (DoS).

VERSIONS IMPACTED

The following web-enabled Management Agent products
for desktops, notebooks and workstations running
Microsoft Windows 9x, NT, 2000 and XP:

   Insight Management for Clients versions 3.5 to 5.0

   Remote Diagnostics Enabling Agent  any version

   Insight Manager LC versions 1.00 to 1.60



RESOLUTION
HP strongly recommends that customers disable the
identified versions of web-enabled agents for:

   Insight Management for Clients versions 3.5 to 5.0

   Remote Diagnostics Enabling Agent  any version

   Insight Manager LC versions 1.00 to 1.60

 

HP recommends the following steps be taken to disable
web-enabled agents:

   1)   Determine which systems are running HP web-enabled agents
        or utilities


   2)   Disable the web agent on those systems.




1) Determine which systems are running HP web-enabled agents or
utilities.

There are three methods suggested.

Method 1

Environments running Insight Manager 7 can get a list of systems
running the web-enabled agents by defining a Query to return a
list of systems with web agents.

Login to your Insight Manager 7 system and create a new Query.
Select the "Devices with Web Agent" criteria.
  o Select all of the available products on the Criteria
    Configuration screen.
  o Save the Query and execute it. The list of devices will be all
   those with web agents. You may wish to use this query with the
   Reports feature of Insight Manager 7 (available in SP1 and
   greater) to get printouts of the devices and the software
   loaded. (Insight Manager XE users may follow a similar
   procedure up to but not including the reports.)

NOTE: Prior to running through this procedure, you may want to
perform a new discovery and data collection.  If you first make
sure that the discovery range covers all of the subnets visible
to the Insight Manager 7 system, you will get a potentially
more comprehensive report.

Method 2

Systems running HP Insight Manager Windows 32 console, can get a
List of systems running the web agents by starting HP Insight
Manager and selecting the "Web Device List" button on the
toolbar. This will display a list of systems being managed
by HP Insight Manager and additionally will have underlined
as hyperlinks the systems on which the web agents
are present and enabled. To print out a list of only the web
devices, select the "Web Devices" hyperlink in the left
column and only web devices will be shown. Print this page
from your browser.

NOTE: The lists generated by Methods 1 and 2, while helpful, may
Not be exhaustive lists of the systems with web-enabled agents
and utilities. The lists will include only those systems that
are being managed either explicitly or because they have
been discovered.

Method 3

Point a web browser to the system by keying in
http://[IP_ADDRESS]:2301 or http://[machine_name]:2301

This will bring up the device home page for any servers running
web-enabled management software. This procedure identifies the
presence of the software on 1 system and assumes that you already
know the device name or IP address of every device and use this
procedure to visit them.

2) In order to minimize the risk of your systems due to a
Malicious attack, HP recommends uninstalling or disabling
the web agent software.

To stop the relevant client services, use the NET STOP
command on the following services: CpqWebDmi, DfwWebAgent,
and LCRMS.  To disable the services change the appropriate
Registry service "start" value to 4 as shown below:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CpqWebDmi]
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DfwWebAgent]
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LCRMS]
"Start"=dword:00000004


Insight Management Agent version 5.01 Rev A (SP24815.EXE / TXT)
ftp://ftp.compaq.com/pub/softpaq/sp24501-25000/SP24815.txt
ftp://ftp.compaq.com/pub/softpaq/sp24501-25000/SP24815.exe
default install process was changed to not install the
web portion of the agent and to also disable the Remote
Diagnostics Enabling Agent (RDEA). RDEA also includes a
web agent. Selecting 'custom install' will still allow the web
agent to be selected and installed.


You may sign up for automatic notification of drivers and alerts
at
http://h30046.www3.hp.com/subhub.php
(select 'driver & support alerts/notifications' then
Servers/HP Server Management Software/HP Management Applications)
but it is recommended that you check back here for new
information periodically and not wait for notifications.

HP strongly recommends that web-enabled agents and
utilities be deployed only on private networks and are
not used on the open Internet or on systems outside
the bounds of a firewall. The implementation of sound
security practices, which includes disabling external
access to HP management ports should help to protect
customers from external malicious attacks. HP also
recommends that strong password standards are used
and that passwords are changed regularly.


SUPPORT: For further information, contact HP Services.

SUBSCRIBE: To subscribe to automatically receive future
Security Advisories from the Software Security Response
Team via electronic mail:
http://www.support.compaq.com/patches/mail-list.shtml
 
REPORT: To report a potential security vulnerability with
any HP supported product, send email to: security-alert@xxxxxx

As always, HP urges you to periodically review your system
management and security procedures. HP will continue to
review and enhance the security features of its products
and work with our customers to maintain and improve the
security and integrity of their systems.

"HP is broadly distributing this Security Bulletin in order to
bring to the attention of users of the affected HP products
the important security information contained in this Bulletin.
HP recommends that all users determine the applicability of
this information to their individual situations and take
appropriate action. HP does not warrant that this information
is necessarily accurate or complete for all user situations and,
consequently, HP will not be responsible for any damages
resulting from user's use or disregard of the information
provided in this Bulletin."


(c)Copyright 2001, 2003 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or
Editorial errors or omissions contained herein. The information
in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard
products referenced herein are trademarks of Hewlett-Packard
Company in the United States and other countries. Other
product and company names mentioned herein may be
trademarks of their respective owners.









2. 

 ESB-2003.0740 -- HEWLETT-PACKARD COMPANY SECURITY BULLETIN: HPSBUX0310-286
            SSRT3622 Security Bulletin rev.1 - HP-UX AAA Server
                              24 October 2003


Product:                HP-UX AAA Server
Publisher:              Hewlett-Packard
Operating System:       HP-UX B.11.11
                        HP-UX B.11.00
Platform:               HP9000
Impact:                 Denial of Service
Access Required:        Remote
CVE Names:              CAN-2003-0543 CAN-2003-0544 CAN-2003-0545

Ref:                    AL-2003.18
                        ESB-2003.0710

Comment:                NB: revisions to SOLUTION sections

- - --------------------------BEGIN INCLUDED TEXT--------------------

- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 -----------------------------------------------------------------
**REVISED 01**
Source: HEWLETT-PACKARD COMPANY
SECURITY BULLETIN: HPSBUX0310-286
Originally issued: 07 Oct 2003
Last revised:  22 Oct 2003
SSRT3622 Security Bulletin rev.1 - HP-UX AAA Server
 -----------------------------------------------------------------
NOTICE: There are no restrictions for distribution of this
        Bulletin provided that it remains complete and intact.

The information in the following Security Bulletin should be
acted upon as soon as possible.  Hewlett-Packard Company will
not be liable for any consequences to any customer resulting
from customer's failure to fully implement instructions in this
Security Bulletin as soon as possible.

 -----------------------------------------------------------------
PROBLEM: 1. Certain ASN.1 encodings that are rejected as invalid
            by the parser can trigger a bug in the deallocation
            of the corresponding data structure, corrupting the
            stack.  This can be used as a denial of service
            attack.  It is currently unknown whether this can be
            exploited to run malicious code. This issue does not
            affect OpenSSL 0.9.6.

            More details are available at:
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545

         2. Unusual ASN.1 tag values can cause an out of bounds
            read under certain circumstances, resulting in a
            denial of service vulnerability.
            More details are available at:
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544

         3. A malformed public key in a certificate will crash
            the verify code if it is set to ignore public key
            decoding errors.  Exploitation of an affected
            application would result in a denial of service
            vulnerability.

         4. Due to an error in the SSL/TLS protocol handling,
            a server will parse a client certificate when one is
            not specifically requested.

IMPACT:   Potential Denial of Service

PLATFORM: HP9000 Servers running HP-UX release B.11.00, B.11.11
          with HP-UX AAA Server, A.06.01.02 or earlier,
          (AAAServer/T1428AA)
          This product included OpenSSL 0.9.7b.

**REVISED 01**
SOLUTION: For HP-UX releases B.11.00, B.11.11, download new
          HP-UX AAA Server product from <software.hp.com>

          For AAAServer/T1428AA download the following:

          - HP-UX AAA Server
            A.06.01.02.04 or later (AAAServer)
            This product includes OpenSSL 0.9.7b + patches.

MANUAL ACTIONS: Yes - Update
            Install the product containing the fix.
            Remove AAAServer (T1428AA) and migrate to
            HP-UX AAA Server A.06.01.02.04 or later.

AVAILABILITY: Complete product bundles are available from
              <software.hp.com>.

CHANGE SUMMARY:  Rev. 1 - product bundles are available from
                           <software.hp.com>,
                          ftp site has been removed.

 -----------------------------------------------------------------
A. Background
   An SSL/TLS testing suite developed by the NISCC (National
   Infrastructure Security Co-Ordination Centre in the UK) has
   identified ASN.1 parsing vulnerabilities in OpenSSL.

   The HP-UX AAA Server (T1428AA) is affected by latest OpenSSL
   vulnerabilities.

     AFFECTED VERSIONS
     ==================

     The following is a list by HP-UX revision of
     affected filesets or patches and fix information.
     To determine if a system has an affected version,
     search the output of "swlist -a revision -l fileset"
     for an affected fileset or patch, then determine if
     a fixed revision or applicable patch is installed.

     The affected filesets are: (product.fileset)
     ==================
     HP-UX B.11.00
     HP-UX B.11.11
     AAAServer
     fix: install revision A.06.01.02.04 or subsequent

     END AFFECTED VERSIONS

**REVISED 01**
B. Recommended solution
    For customers using the HP-UX AAA Server (T1428AA)
 --> revision A.06.01.02 and earlier, download the depot from
    <software.hp.com>.

    ==================================================
    To fix the problem:

    1. Determine the affected version.
    2. Remove HP-UX AAA Server (T1428AA)
    3. Install the appropriate HP-UX AAA Server depot.

    The fix requires removing AAAServer (T1428AA) from
    the system and migrating to HP-UX AAA Server
    A.06.01.02.04 or later.

 --> NOTE: Even if you recently installed the depot from the
 -->       ftp site, product users should overwrite the
 -->       previous downloads of this version A.06.01.02.04
 -->       with the latest one from software.hp.com.   There
 -->       are changes in the pre- and post-install control and
 -->       SD scripts.
 -->       It is not necessary to remove the installed version.


   Check for AAA Installation
   --------------------------
   To determine if the HP-UX AAA Server is installed on
   your system, use Software Distributor's swlist command.

   For example, the results of the command
     swlist -l product | grep -i AAA     might show:

   AAAServer  A.06.01.02    AAA Server

   Stop HP-UX AAA Server
   ---------------------
   Before updating, make sure to stop any previous HP-UX AAA
   Server binary.  Otherwise, the previous binary will continue
   running, preventing the new one from starting, although the
   installation may be successful.

   After determining which HP-UX AAA Server is installed, stop
   the process with the following command:

    kill `cat /var/opt/aaa/run/radiusd.pid | awk '{print $1}'`

    Stop any active tomcat processes using the following command:

    /opt/hpws/tomcat/bin/shutdown.sh

**REVISED 01**
   Download and Install HP-UX AAA Server
   -----------------------------
 --> - Download HP-UX AAA Server depot file from software.hp.com.
 --> - Register the depot using "swreg" and install using the
 -->   "swinstall" SD commands.
     - Remove AAAServer (T1428AA) and migrate to
       HP-UX AAA Server A.06.01.02.04 or later.

    Installation of this new version of HP-UX AAA Server
    over an existing HP-UX AAA Server installation is supported,
    while installation over any non-HP AAA Server is NOT
    supported.

   Removing an HP-UX AAA Server Installation
   ----------------------------
   If you rather remove HP-UX AAA Server from your system than
   install a newer version to resolve the security problem, use
   both Software Distributor's "swremove" command.

   Note: Before executing swremove, stop HP-UX AAA Server and
   the active tomcat processes.

   Remove the HP-UX AAA Server using SD command: swremove T1428AA


C. To subscribe to automatically receive future NEW HP Security
   Bulletins from the HP IT Resource Center via electronic
   mail, do the following:

   Use your browser to get to the HP IT Resource Center page
   at:

      http://itrc.hp.com

   Use the 'Login' tab at the left side of the screen to login
   using your ID and password.  Use your existing login or the
   "Register" button at the left to create a login, in order to
   gain access to many areas of the ITRC.  Remember to save the
   User ID assigned to you, and your password.

   In the left most frame select "Maintenance and Support".

   Under the "Notifications" section (near the bottom of
   the page), select "Support Information Digests".

   To -subscribe- to future HP Security Bulletins or other
   Technical Digests, click the check box (in the left column)
   for the appropriate digest and then click the "Update
   Subscriptions" button at the bottom of the page.

   or

   To -review- bulletins already released, select the link
   (in the middle column) for the appropriate digest.

   NOTE: Using your itrc account security bulletins can be
         found here:
   http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin


   To -gain access- to the Security Patch Matrix, select
   the link for "The Security Bulletins Archive".  (near the
   bottom of the page)  Once in the archive the third link is
   to the current Security Patch Matrix. Updated daily, this
   matrix categorizes security patches by platform/OS release,
   and by bulletin topic.  Security Patch Check completely
   automates the process of reviewing the patch matrix for
   11.XX systems.  Please note that installing the patches
   listed in the Security Patch Matrix will completely
   implement a security bulletin _only_ if the MANUAL ACTIONS
   field specifies "No."

   The Security Patch Check tool can verify that a security
   bulletin has been implemented on HP-UX 11.XX systems providing
   that the fix is completely implemented in a patch with no
   manual actions required.  The Security Patch Check tool cannot
   verify fixes implemented via a product upgrade.

   For information on the Security Patch Check tool, see:
   http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
   displayProductInfo.pl?productNumber=B6834AA

   The security patch matrix is also available via anonymous
   ftp:

   ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/

   On the "Support Information Digest Main" page:
   click on the "HP Security Bulletin Archive".

   The PGP key used to sign this bulletin is available from
   several PGP Public Key servers.  The key identification
   information is:

      2D2A7D59
      HP Security Response Team (Security Bulletin signing only)
      <security-alert@xxxxxx>
      Fingerprint =
        6002 6019 BFC1 BC62 F079 862E E01F 3AFC 2D2A 7D59

   If you have problems locating the key please write to
   security-alert@xxxxxxx  Please note that this key is
   for signing bulletins only and is not the key returned
   by sending 'get key' to security-alert@xxxxxxx


D. To report new security vulnerabilities, send email to

   security-alert@xxxxxx

   Please encrypt any exploit information using the
   security-alert PGP key, available from your local key
   server, or by sending a message with a -subject- (not body)
   of 'get key' (no quotes) to security-alert@xxxxxxx

 -----------------------------------------------------------------

(c)Copyright 2003 Hewlett-Packard Company
Hewlett-Packard Company shall not be liable for technical or
editorial errors or omissions contained herein. The information
in this document is subject to change without notice.
Hewlett-Packard Company and the names of HP products referenced
herein are trademarks and/or service marks of Hewlett-Packard
Company.  Other product and company names mentioned herein may be
trademarks and/or service marks of their respective owners.

 ________________________________________________________________



For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Hewlett-Packard for the information
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBP5j1vIpao72zK539AQEYQQP/RtNXBp6FmWqqfbgGEYF8SYI/rnF2Ag5O
/aNlUvd7WBULZtMxOivFqC3PGH3lRRoeXuZuYBaW5HSu+RhtCcKqr1zWSaIzySYf
yIJ4gqBdQ2PDXQgd5gyaFp7JKxkz8nQ4rrsaT5bL99v0YxVCG7ZjWhaFF4sbs3ib
zCZU+bdLKYU=
=pMeO
-----END PGP SIGNATURE-----