Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2003.0291 -- HEWLETT-PACKARD COMPANY SECURITY BULLETIN: HPSBUX0208-209 SSRT2316 Sec. Vulnerability in DNS and resolver lib's (rev.10) 16 April 2003 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: DNS Resolver Libraries Vendor: Hewlett-Packard Operating System: HP-UX 10.10 HP-UX 10.20 HP-UX 10.24 HP-UX 11.00 HP-UX 11.04 HP-UX 11.11 Platform: HP9000 Series 700/800 Impact: Execute Arbitrary Code/Commands Denial of Service Access Required: Remote CVE Names: CAN-2002-0651, CAN-2002-0684 Ref: ESB-2003.0131 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ----------------------------------------------------------------- **REVISED 10** Source: HEWLETT-PACKARD COMPANY SECURITY BULLETIN: HPSBUX0208-209 Originally issued: 12 August 2002 Last revised: 14 April 2003 SSRT2316 Sec. Vulnerability in DNS and resolver lib's (rev.10) ----------------------------------------------------------------- NOTICE: There are no restrictions for distribution of this Bulletin provided that it remains complete and intact. The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. ----------------------------------------------------------------- PROBLEM: Potential buffer overflows in DNS resolver libraries. PLATFORM: HP9000 Series 700/800 running HP-UX releases 11.00 and 11.11 (11i) with products using DNS resolver libraries, including, but not limited to, Bind 9.x, Bind-8.1.2, and libnss_dns. HP9000 Series 700/800 running HP-UX release 10.20 HP9000 Series 700/800 running HP-UX release 10.10 HP9000 Series 700/800 running HP-UX release 10.24 or 11.04 (VVOS) IMPACT: Potential unauthorized access, denial of service. SOLUTION: Until a product upgrade is available, download and install appropriate preliminary updates and the appropriate preliminary or final patches. MANUAL ACTIONS: Yes - NonUpdate Install the applicable upgrades and patches listed in the "Recommended solutions" section (below). **REVISED 10** AVAILABILITY: The depots are available now. BIND9.2.0 is available now. (11.11) BIND-920 is available now. (11.00) BIND812 is available now. (11.00) The preliminary patches (depot files) are available only from the ftp site (below) at this time. The following are available from the itrc: PHCO_27882 for 10.24 (VVOS) -->> PHNE_27795 for 11.00 -->> PHNE_28450 for 11.11. This bulletin will be updated when a product upgrade is available. This bulletin will also be updated when solutions for other vulnerable products are available. CHANGE SUMMARY: Rev.01 - Added Bind-8.1.2. and libnss_dns information. Rev.02 - A patch was incorrectly listed, PHNE_27647.depot is the correct number. New version available, BIND920ver3.depot. Rev.03 - Added Bind-4.9.7 information for 11.00. Rev.04 - Added Bind-4.9.7 information for 10.20. Rev.05 - Added libc information for 10.20. Rev.06 - Corrected "strings" to "strings -a" Rev.07 - Added 11.04 and 10.24 information. Rev.08 - BIND9.2.0 version 11.11.2.0.200209. Updated to latest patches. Added 10.10 information. Rev.09 - BIND812 version B.11.00.01.004. BIND-920 version B.11.00.01.001. Added PHNE_27796 for 11.11. Removed PHNE_27647.depot for 11.11. Clarified 10.10 information. Added CERT VU#738331 information. Rev.10 - Added PHNE_27795 for 11.00. Removed PHNE_27646.depot for 11.00. Added PHNE_28450 for 11.11. Removed PHNE_27794.depot for 11.11. Added note that both client and server systems are affected. ----------------------------------------------------------------- A. Background CERT advisory CA-2002-19 reports a buffer overflow vulnerability which may affect products on HP-UX release 11.00 and release 11.11 (11i). The vulnerable products include Bind 9.x. This bulletin will be updated when solutions for other vulnerable products are available. CERT VU#738331 is fixed by the patches referenced below. Bind-8.1.2 is vulnerable. The libnss_dns.1 library is vulnerable. Bind-4.9.7 is vulnerable. HP-UX 10.20 programs calling the DNS API are vulnerable. HP-UX 10.10 programs calling the DNS API are vulnerable. **REVISED 10** -> Note: These fixes should be applied to all systems using -> DNS, including those systems with client programs only. B. Recommended solution The following preliminary fixes are available: HP-UX 10.10 PHNE_27792.depot s700_800 10.10/10.20 Bind 4.9.7 components AND libc.1.1010, libc.a.1010 10.10 libc files HP-UX 10.20 PHNE_27792.depot s700_800 10.10/10.20 Bind 4.9.7 components AND PHCO_26152.depot s700_800 10.20 libc HP-UX 10.24 PHNE_27879.depot s700_800 10.24 (VVOS) BIND 4.9.7 components AND PHCO_27882: s700_800 10.24 (VVOS) libc HP-UX 11.00 **REVISED 10** BIND812 version B.11.00.01.004 or subsequent from http://software.hp.com. OR BIND-920 version B.11.00.01.001 or subsequent from http://software.hp.com. OR PHNE_27793.depot s700_800 11.00 Bind 4.9.7 components AND -->> PHNE_27795 s700_800 11.00 libnss_dns HP-UX 11.04 PHNE_28415 s700_800 11.04 (VVOS) Bind 4.9.7 components AND PHNE_27881.depot s700_800 11.04 (VVOS) libnss_dns HP-UX 11.11 BIND9.2.0 version 11.11.2.0.200209 or subsequent from http://software.hp.com. OR -->> PHNE_28450 s700_800 11.11 Bind-8.1.2 patch AND PHNE_27796 s700_800 11.11 libnss_dns Note: BIND9.2.0 version 11.11.2.0.200209 also corrects potential problems reported in CERT advisory CA-2002-23. Note: The files mentioned below can be downloaded from the following site. This site is temporary and will be removed when the fixes become available from the itrc. System: hprc.external.hp.com (192.170.19.51) Login: bind Password: bind1 FTP Access: ftp://bind:bind1@hprc.external.hp.com/ or: ftp://bind:bind1@192.170.19.51/ file: upgrade_bind812_v4.depot.gz Note: There is an ftp defect in IE5 that may result in a browser hang. To work around this: - Select Tools -> Internet Options -> Advanced - Un-check the option: [ ] Enable folder view for FTP sites Download and install the appropriate preliminary patch from the ftp site listed above: PHNE_27792.depot s700_800 10.10/10.20 Bind 4.9.7 components PHCO_26152.depot s700_800 10.20 libc patch PHNE_27879.depot s700_800 10.24 (VVOS) BIND 4.9.7 components PHNE_27793.depot s700_800 11.00 Bind 4.9.7 components PHNE_28415 s700_800 11.04 (VVOS) Bind 4.9.7 components PHNE_27881.depot s700_800 11.04 (VVOS) libnss_dns Note: If you wish to verify the md5 sum and you do not have a copy of md5, please refer to: HPSBUX9408-016 Patch sums and the MD5 program Note: Using your itrc account security bulletins can be found here: http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin MD5 (PHNE_27792.depot) = 613aa5827f0b4df4f51188857b5834d0 cksum 4143672841 696320 PHNE_27792.depot MD5 (PHCO_26152.depot) = fbd411fb4ca5f392722415868ee8b6cb cksum 2238979170 9676800 PHCO_26152.depot MD5 (PHNE_27879.depot) = 90a570964b5cf48dadcd427f69bfdd16 cksum 2889539873 747520 PHNE_27879.depot MD5 (PHNE_27793.depot) = 6f0f0f34c7a51688f6506c56da636689 cksum 4222745255 675840 PHNE_27793.depot MD5 (PHNE_28415) = b07cd934bdcac2bf9cdfcbb2b44644de cksum 1939013995 973906 PHNE_28415 MD5 (PHNE_27881.depot) = d53a774092f72e98cb62607b5882b576 cksum 1828722320 61440 PHNE_27881.depot Note: On 10.10 and 10.20 the DNS API is contained in libc. Programs which make DNS calls and are linked with libc.a must be relinked. Programs which are linked with ".a" libraries are statically linked. Statically linked programs may be tested as follows: strings -a suspect_program | grep "Too many addresses (%d)" If the program contains the string it may make DNS API calls and should be relinked with the fixed version of libc.a. **REVISED 09** Download libc.1.1010 and libc.a.1010 from the ftp site mentioned above. MD5 (libc.1.1010) = 87be3ba33250be16ad39345ed38f9875 cksum 1642516484 1716224 libc.1.1010 MD5 (libc.a.1010) = b680e1861a4b3ea4fc8fe55da63d62d2 cksum 4179986886 2280612 libc.a.1010 Install on 10.10 as follows: 1. Go to init state 2. Copy libc.1.1010 and libc.a.1010 to a secure directory such as /. 2. cd /usr/lib /usr/sbin/cp libc.1 libc.1.orig /usr/sbin/cp /libc.1.1010 libc.1 /usr/sbin/cp libc.a libc.a.orig /usr/sbin/cp /libc.a.1010 libc.a 3. Reboot the system. - - ------------------------------------------------------------------ C. To subscribe to automatically receive future NEW HP Security Bulletins from the HP IT Resource Center via electronic mail, do the following: Use your browser to get to the HP IT Resource Center page at: http://itrc.hp.com Use the 'Login' tab at the left side of the screen to login using your ID and password. Use your existing login or the "Register" button at the left to create a login, in order to gain access to many areas of the ITRC. Remember to save the User ID assigned to you, and your password. In the left most frame select "Maintenance and Support". Under the "Notifications" section (near the bottom of the page), select "Support Information Digests". To -subscribe- to future HP Security Bulletins or other Technical Digests, click the check box (in the left column) for the appropriate digest and then click the "Update Subscriptions" button at the bottom of the page. or To -review- bulletins already released, select the link (in the middle column) for the appropriate digest. NOTE: Using your itrc account security bulletins can be found here: http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin To -gain access- to the Security Patch Matrix, select the link for "The Security Bulletins Archive". (near the bottom of the page) Once in the archive the third link is to the current Security Patch Matrix. Updated daily, this matrix categorizes security patches by platform/OS release, and by bulletin topic. Security Patch Check completely automates the process of reviewing the patch matrix for 11.XX systems. For information on the Security Patch Check tool, see: http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/ displayProductInfo.pl?productNumber=B6834AA The security patch matrix is also available via anonymous ftp: ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/ On the "Support Information Digest Main" page: click on the "HP Security Bulletin Archive". D. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. ---------------------------------------------------------------- (c)Copyright 2003 Hewlett-Packard Company Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of HP products referenced herein are trademarks and/or service marks of Hewlett-Packard Company. Other product and company names mentioned herein may be trademarks and/or service marks of their respective owners. ________________________________________________________________ - -----BEGIN PGP SIGNATURE----- Version: PGP Personal Security 7.0.3 iQA/AwUBPpsi7eAfOvwtKn1ZEQKXWwCdGflIt+XXPSIkQwSipmZuFtevtxoAnA2Y R88VdmQSNWdPbdfPouMnS+FT =9snz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBPp1mcCh9+71yA2DNAQEIggP/Q91eoUG9dEQfNronbYP50+oOwrPFkzvK vd/JJene4nMwpJK70bKit+L8rtnsN89c2IRwyicRWul9cJyID84SDHxA/g0NYJXX CjRDNHsQhrHxM7kZBea5nuMmEJUdweeVeRmukuQT7nxNjYd/0cazGhDNdtBvVwNy 4LW9k414Vv8= =Bzbc -----END PGP SIGNATURE-----