|
|
Home : Advisories : Security vulnerability in ftp in releases 9.X and 10.X of HP-UX
| Title: |
Security vulnerability in ftp in releases 9.X and 10.X of HP-UX |
| Released by: |
HP |
| Date: |
14th December 1995 |
| Printable version: |
Click here |
- - -------------------------------------------------------------------------
HEWLETT-PACKARD SECURITY BULLETIN: HPSBUX9511-028, 28 Nov 95
- - -------------------------------------------------------------------------
Hewlett-Packard recommends that the information in the following
Security Bulletin should be acted upon as soon as possible. Hewlett-
Packard will not be liable for any consequences to any customer
resulting from customer's failure to fully implement instructions
in this Security Bulletin as soon as possible.
_______________________________________________________________________
PROBLEM: Security vulnerability in ftp in releases 9.X and 10.X of HP-UX
PLATFORM: HP 9000 series 300/400s and 700/800s
DAMAGE: A vulnerability in ftp behavior exists which involves ftp
server bouncing. This is a cumulative ftp(1) and ftpd(1M)
patch.
SOLUTION: Apply patch PHNE_6013 (series 700/800, HP-UX 9.x), or
PHNE_6014 (series 700/800, HP-UX 10.x), or
PHNE_6146 (series 300/400, HP-UX 9.x), or
PHNE_6170 (series 700, HP-UX 9.09), or
PHNE_6169 (series 700, HP-UX 9.09+), or
PHNE_6171 (series 800, HP-UX 9.08)
PHNE_5965 (series 700, HP-UX 10.09)
AVAILABILITY:
All patches are available now, except for the 9.0X BLS patches
which will be available after January 2, 1996.
_______________________________________________________________________
I. Update
A. Vulnerability
The vulnerability allows users to exploit ftp. If these patches
are properly installed, the vulnerability cannot be exploited.
It has been found that all HP-UX systems have this vulnerability.
B. Fixing the problem
The vulnerability can be eliminated from releases 9.x and 10.x of
HP-UX by applying a patch. To treat only the commercial releases of
HP-UX prior to 9.x, administrators should make plans to upgrade their
systems to a currently supported release listed above.
Hewlett-Packard recommends that all customers concerned with the
security of their HP-UX systems apply the appropriate patch
described above as soon as possible.
Side effects: none.
C. How to Install the Patch (for HP-UX 9.x and 10.x)
1. Determine which patch is appropriate for your hardware platform
and operating system:
For the Commercial HP-UX releases:
PHNE_6013 (series 700/800, HP-UX 9.x), or
PHNE_6014 (series 700/800, HP-UX 10.x), or
PHNE_6146 (series 300/400, HP-UX 9.x).
For the BLS HP-UX releases:
PHNE_6169 (series 700, HP-UX 9.09+), or
PHNE_6170 (series 700, HP-UX 9.09), or
PHNE_6171 (series 800, HP-UX 9.08), or
PHNE_5965 (series 700, HP-UX 10.09).
The three 9.0x B Level Security (BLS) patches will be available
after January 2, 1996.
2. Hewlett Packard's HP-UX patches are available via email and
World Wide Web.
To obtain a copy of the HP SupportLine email service user's guide,
send the following in the TEXT PORTION OF THE MESSAGE to
support@us.external.hp.com (no Subject is required):
send guide
The user's guide explains the process for downloading HP-UX patches
via email and other services available.
World Wide Web service for downloading of patches
is available via our URL:
(http://us.external.hp.com/)
3. Apply the patch to your HP-UX system.
4. Examine /tmp/update.log for any relevant WARNINGs or ERRORs. This
can be done as follows:
a. At the shell prompt, type "tail -60 /tmp/update.log | more"
b. Page through the next three screens via the space bar, looking
for WARNING or ERROR messages.
D. Impact of the patch and workaround
The patch for HP-UX releases 9.x and 10.x provides a new version of
/usr/bin/ftp and /etc/ftpd which fixes the vulnerability. No
patches will be available for versions of HP-UX prior to 9.0.
To protect those affected systems, we recommend upgrading to a
currently supported release of HP-UX.
E. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP SupportLine mail service via electronic
mail, send an email message to:
support@us.external.hp.com (no Subject is required)
Multiple instructions are allowed in the TEXT PORTION OF THE
MESSAGE, here are some basic instructions you may want to use:
To add your name to the subscription list for new security
bulletins, send the following in the TEXT PORTION OF THE MESSAGE:
subscribe security_info
To retrieve the index of all HP Security Bulletins issued to date,
send the following in the TEXT PORTION OF THE MESSAGE:
send security_info_list
To get a patch matrix of current HP-UX and BLS security
patches referenced by either Security Bulletin or Platform/OS,
put the following in the text portion of your message:
send hp-ux_patch_matrix
World Wide Web service for browsing of bulletins is available via
our URL:
(http://us.external.hp.com/)
Choose "Support news", then under Support news,
choose "Security Bulletins"
F. To report new security vulnerabilities, send email to
security-alert@hp.com
_______________________________________________________________________
==============================================================================
***HP SupportLine Mail Service Notice***
This digest contains a summary of all newly received Security Bulletins.
You do not have to have any form of support from Hewlett-Packard to subscribe
to this digest or to procure the recommended patches via the HP SupportLine
mail service.
- - ----------------------------------------------------------------------------
To obtain a copy of the HP SupportLine mail service user's guide, send the
following (in the TEXT PORTION OF THE MESSAGE to) to the HP SupportLine mail
service.
To: support@us.external.hp.com
Message Text:
send guide
- - ----------------------------------------------------------------------------
To obtain a patch identified within this Security Bulletin, send the following
(in the TEXT PORTION OF THE MESSAGE) to the HP SupportLine mail service.
To: support@us.external.hp.com
Message Text:
send xxxxxxxxxxxx
(where xxxxxxxxxxxx represents the specified patch name).
- - ----------------------------------------------------------------------------
If you have concerns about security issues, please forward them to:
security-alert@hp.com
The security-alert node is monitored during working hours Pacific Daylight
Time by multiple HP Security Response Team personnel. We reply to your message
only if necessary to obtain additional information.
- - ----------------------------------------------------------------------------
If you would like to be REMOVED from this mailing lists, send the following
(in the TEXT PORTION OF THE MESSAGE) to the HP SupportLine mail service.
To: support@us.external.hp.com
Message Text:
unsubscribe security_info
|
