Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Hewlett Packard SSRT3533: Cluster Alias/NFS DoS

Hewlett Packard SSRT3533: Cluster Alias/NFS DoS

by Nikola Strahija on April 24th, 2003 A vulnerability has been found in HP Tru64 UNIX/TruCluster Server that may result in undetected network traffic or a denial-of-service.


-----BEGIN PGP SIGNED MESSAGE-----


TITLE: SSRT3533 - HP Tru64 UNIX/TruCluster Server -
Cluster Alias/NFS Potential Security Vulnerability

REVISION: 0


NOTICE: There are no restrictions for distribution of this Bulletin
provided that it remains complete and intact.

RELEASE DATE: 22 April 2003


SEVERITY: High

SOURCE: HEWLETT-PACKARD COMPANY
Software Security Response Team

REFERENCE: SSRT3533

PROBLEM SUMMARY


This bulletin will be posted to the support website
within 24 hours of release to -
http://thenew.hp.com/country/us/eng/support.html
Use the SEARCH IN feature box, enter SSRT3533 in the search window.



SSRT3533 Cluster Alias/NFS (Severity High)

A potential security vulnerability has been reported in the HP Tru64
UNIX operating system that may result in undetected network traffic
or a Denial of Service (DoS). This potential vulnerability may be in
the form of local and remote security domain risks. This potential
vulnerability, which affects only HP TruCluster Server systems that
use cluster aliases and act as NFS servers, may be in the form of
local and remote security domain risks.



VERSIONS IMPACTED


HP Tru64 UNIX V5.1B PK1 (BL1) Only



NOT IMPACTED

HP Tru64 UNIX V5.1A

HP Tru64 UNIX V5.1

HP Tru64 UNIX V5.0A

HP-UX

HP-MPE/ix

HP NonStop Servers

HP OpenVMS

RESOLUTION


An Early Release Patch (ERP) is now available that provide a solution
to this potential vulnerability. The ERP kit use dupatch to install
and will not install over any Customer Specific Patches (CSPs) which
have file intersections with the ERP. Contact your normal support
channel and request HP Tru64 services elevate a case to Support
Engineering if a CSP must be merged with the ERP. Please review the
README file for each patch prior to installation.

NOTE: The following ERP kit is applicable to any HP TruCluster Server
systems that use cluster aliases and act as NFS servers.



HP Tru64 UNIX/TruCluster Server 5.1B
PREREQUISITE: Tru64 UNIX/TruCluster Server with PK1 (BL01) installed
ERP Kit Name: T64V51BB1-C0007503-18084-ES-20030415.tar
Kit Location: ftp://ftp1.support.compaq.com/public/unix/v5.1b/



NOTE:
Customers who have installed Tru64 UNIX V5.1B PK1 CSP 75.00, 75.01,
or 75.02 do not need to install the Early Release Patch (ERP) kit
described in this Security Bulletin.



The fixes contained in the ERP kit will be available in the following
mainstream patch kits:

HP Tru64 UNIX 5.1B PK2


Information on how to verify MD5 and SHA1 checksums is
available at: http://www.support.compaq.com/patches/whats-new.shtml

After completing the update, HP strongly recommend that you perform
an immediate backup of the system disk so that any subsequent
restore operations begin with updated software. Otherwise, the
updates must be re-applied after a future restore operation. Also,
if at some future time the system is upgraded to a later patch
release or version release, reinstall the appropriate ERP.


SUPPORT: For further information, contact HP Services.

SUBSCRIBE: To subscribe to automatically receive future Security
Advisories from the Software Security Response Team via electronic
mail:
http://www.support.compaq.com/patches/mail-list.shtml

REPORT: To report a potential security vulnerability with any HP
supported product, send email to: [email protected]

As always, HP urges you to periodically review your system management
and security procedures. HP will continue to review and enhance the
security features of its products and work with our customers to
maintain and improve the security and integrity of their systems.

"HP is broadly distributing this Security Bulletin in order to bring
to the attention of users of the affected HP products the important
security information contained in this Bulletin. HP recommends that
all users determine the applicability of this information to their
individual situations and take appropriate action. HP does not
warrant that this information is necessarily accurate or complete for
all user situations and, consequently, HP will not be responsible for
any damages resulting from user's use or disregard of the information
provided in this Bulletin."


(c)Copyright 2001, 2003 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or
editorial errors or omissions contained herein. The information in
this document is subject to change without notice. Hewlett-Packard
Company and the names of Hewlett-Packard products referenced herein
are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may
be trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQCVAwUBPqVv7Eb+N2sIuD1FAQFYAAP/XbkErs+t0wscINr8L0IlcR6P0WxMKWye
cTCOXtheEyB0PTtJTxzqW9UH/3pLP+cqINSGGqiy6JNNqtdftsnrxb0aUtw/qD6h
Wi7MtHetv7OAAjZXw2BYGdDCZk61UPZdV32x1JqJgT1yh4sW9yN31IVDwQBj7hWi
+aZ4XYfJy6U=
=7uPG
-----END PGP SIGNATURE-----


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »