Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2003.0584 -- HEWLETT-PACKARD SECURITY BULLETIN: HPSBUX0208-209 SSRT2316 Sec. Vulnerability in DNS and resolver lib's (rev.14) 20 August 2003 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: DNS and resolver Publisher: Hewlett-Packard Operating System: HP-UX 11.22 HP-UX 11.11 HP-UX 11.04 HP-UX 11.00 HP-UX 10.24 HP-UX 10.20 HP-UX 10.10 Platform: HP9000 Series 700/800 Impact: Execute Arbitrary Code/Commands Denial of Service Access Required: Remote CVE Names: CAN-2002-0651, CAN-2002-0684 Ref: ESB-2003.0577 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ----------------------------------------------------------------- **REVISED 14** Source: HEWLETT-PACKARD COMPANY SECURITY BULLETIN: HPSBUX0208-209 Originally issued: 12 August 2002 Last revised: 18 August 2003 SSRT2316 Sec. Vulnerability in DNS and resolver lib's (rev.14) ----------------------------------------------------------------- NOTICE: There are no restrictions for distribution of this Bulletin provided that it remains complete and intact. The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. ----------------------------------------------------------------- PROBLEM: Potential buffer overflows in DNS resolver libraries. PLATFORM: HP-UX releases B.10.10, B.10.20, B.10.24 (VVOS), B.11.00, B.11.04 (VVOS), B.11.11 and B.11.22. IMPACT: Potential unauthorized access, denial of service. **REVISED 14** SOLUTION: Until a product upgrade is available, download and install appropriate preliminary updates and the appropriate preliminary or final patches. The following patches are available from the itrc: PHCO_26158 for B.10.20 PHCO_27882 for B.10.24 (VVOS) PHNE_27795 for B.11.00 --> PHNE_28449 for B.11.00 PHNE_27881 for B.11.04 (VVOS) --> PHNE_27796 for B.11.11 PHNE_28450 for B.11.11 PHNE_28490 for B.11.22 MANUAL ACTIONS: Yes - NonUpdate Install the applicable upgrades and patches listed in the "Recommended solutions" section (below). AVAILABILITY: The depots are available now. BIND9.2.0 is available now. (for B.11.11) BIND-920 is available now. (for B.11.00) BIND812 is available now. (for B.11.00) The preliminary patches (depot files) are available only from the ftp site (below) at this time. The following are available from the itrc: PHCO_26158 for B.10.20 PHCO_27882 for B.10.24 (VVOS) PHNE_27795 for B.11.00 **REVISED 14** --> PHNE_28449 for B.11.00 PHNE_27881 for B.11.04 (VVOS) --> PHNE_27796 for B.11.11 PHNE_28450 for B.11.11 PHNE_28490 for B.11.22 This bulletin will be updated when a product upgrade is available. This bulletin will also be updated when solutions for other vulnerable products are available. CHANGE SUMMARY: Rev.01 - Added Bind-8.1.2. and libnss_dns information. Rev.02 - A patch was incorrectly listed, PHNE_27647.depot is the correct number. New version available, BIND920ver3.depot. Rev.03 - Added Bind-4.9.7 info. for B.11.00. Rev.04 - Added Bind-4.9.7 info. for B.10.20. Rev.05 - Added libc information for B.10.20. Rev.06 - Corrected "strings" to "strings -a" Rev.07 - Added B.11.04 and B.10.24 info. Rev.08 - BIND9.2.0 version 11.11.2.0.200209. Updated to latest patches. Added B.10.10 information. Rev.09 - BIND812 version B.11.00.01.004. BIND-920 version B.11.00.01.001. Added PHNE_27796 for B.11.11. Removed PHNE_27647.depot for B.11.11. Clarified 10.10 information. Added CERT VU#738331 information. Rev.10 - Added PHNE_27795 for B.11.00. Removed PHNE_27646.depot for B.11.00. Added PHNE_28450 for B.11.11. Removed PHNE_27794.depot for B.11.11. Added note that both client and server systems are affected. Rev.11 - Clarified that BIND9.2.0 version 11.11.01.002 is subsequent to 11.11.2.0.200209. Added CERT VU#852283 and VU#229595 Added discussion of vulnerable B.11.00 and B.11.11 versions. Added CAUTION note about switching between web upgrade and base os versions of bind. Added AFFECTED VERSIONS section. Added B.11.22 information. Rev.12 - Added PHNE_27881 for B.11.04. Added PHCO_26158 for B.10.20. Rev.13 - Added PHNE_28490 for B.11.22. Rev.14 - Added PHNE_28449 for B.11.00. ----------------------------------------------------------------- A. Background CERT advisory CA-2002-19, CERT VU#738331, CERT VU#852283, and CERT VU#229595 report vulnerabilities which may affect products on HP-UX and VVOS. Note: These fixes should be applied to all systems using DNS, including those systems with client programs only. Notes on Bind Versions (B.11.00 and B.11.11) ============================================= Bind is available on B.11.00 and B.11.11 as part of the base operating system and as a web upgrade. Both versions (base os and web upgrade) may be installed on a system simultaneously. Only one version can be active. The active version can be changed via a script. The base os versions are updated via patches. The web upgrade versions are updated by installing a later web upgrade. The web upgrade versions are not patched. If a web upgrade version is active it is not possible to patch the base os version. It is necessary to switch to the base os version with the following command before applying the patch: /usr/bin/enable_inet -r bind If you are running a web upgrade version and do not intend to re-enable the base os version, it is not necessary to patch the base os version. However, since the base os version can be re-enabled with the script, you may want to patch the base os version even though it is not active. Similarly, if you have installed a web upgrade version and have switched back to the base os version, you may want to update to the latest web upgrade version or use swremove(1) to remove the web upgrade version entirely. Identifying the Active Version (B.11.00/B.11.11) ================================================ Execute the following command: what /usr/sbin/named | grep named The bind version will be on the named line. For example: named 9.2.0 Thu Jul 18 11:58:39 GMT 2002 Identifying the Web Upgrade Version (B.11.00/B.11.11) ===================================================== If the file /usr/contrib/bind/usr/sbin/named exists, execute the following: what /usr/contrib/bind/usr/sbin/named | grep named The bind version will be on the named line. AFFECTED VERSIONS The following is a list by HP-UX revision of affected filesets and the fileset revision or patch containing the fix. To determine if a system has an affected version, search the output of "swlist -a revision -l fileset" for an affected fileset, then determine if a fixed revision or the applicable patch is installed. HP-UX B.11.22 ============= InternetSrvcs.INETSVCS2-RUN fix: PHNE_28490 or subsequent NFS.NFS-SHLIBS NFS.NFS-64SLIB fix: PHNE_27842.depot HP-UX B.11.11 ============= BINDv913.INETSVCS-BIND fix: must upgrade bind.INETSVCS-RUN fix: must upgrade BINDv920.INETSVCS-BIND fix: revision B.11.11.01.002 or subsequent InternetSrvcs.INETSVCS-RUN fix: PHNE_28450 or subsequent NFS.NFS-SHLIBS NFS.NFS-64SLIB fix: PHNE_27796 or subsequent HP-UX B.11.04 ============= InternetSrvcs.INETSVCS-RUN fix: PHNE_28415 or subsequent NFS.NFS-64SLIB NFS.NFS-SHLIBS fix: PHNE_27881 or subsequent HP-UX B.11.00 ============= BINDv812.INETSVCS-BIND fix: revision B.11.00.01.004 or subsequent BINDv920.INETSVCS-BIND fix: revision B.11.00.01.001 or subsequent bind.INETSVCS-RUN fix: must upgrade upgrade_bind812.INETSVCS-RUN fix: must upgrade BINDv913.INETSVCS-BIND fix: must upgrade **REVISED 14** InternetSrvcs.INETSVCS-RUN --> fix: PHNE_28449 or subsequent NFS.NFS-SHLIBS NFS.NFS-64SLIB fix: PHNE_27795 or subsequent HP-UX B.10.24 ============= InternetSrvcs.INETSVCS-RUN fix: PHNE_27879.depot OS-Core.C-MIN OS-Core.CORE-SHLIBS ProgSupport.PROG-AUX ProgSupport.PROG-MIN fix: PHCO_27882 or subsequent HP-UX B.10.20 ============= InternetSrvcs.INETSVCS-RUN fix: PHNE_27792.depot OS-Core.C-MIN OS-Core.CORE-SHLIBS ProgSupport.PROG-MIN ProgSupport.PROG-AUX fix: PHCO_26158 or subsequent HP-UX B.10.10 ============= InternetSrvcs.INETSVCS-RUN fix: PHNE_27792.depot OS-Core.CORE-SHLIBS fix: libc.1.1010, libc.a.1010 END AFFECTED VERSIONS Note: The Security Patch Check tool examines patches to determine whether a system is vulnerable. Therefore, if the base o/s version of bind is not patched as described in this bulletin, the Security Patch Check tool will report that fact even if the web upgrade version is active. The Security Patch Check tool will not examine the web upgrade versions of bind. B. Recommended solution CAUTION: If you have installed a web upgrade, the Base OS version remains on the system. This command: "/usr/bin/enable_inet -r bind" restores the Base OS version. The Base OS version cannot be patched while the web upgrade version is enabled. After reverting to the Base OS version you should verify that it is properly patched as described below. The following preliminary fixes are available: HP-UX B.10.10 ============= PHNE_27792.depot s700_800 10.10/10.20 Bind 4.9.7 components AND libc.1.1010, libc.a.1010 10.10 libc files HP-UX B.10.20 ============= PHNE_27792.depot s700_800 10.10/10.20 Bind 4.9.7 components AND PHCO_26158 s700_800 10.20 libc HP-UX B.10.24 ============= PHNE_27879.depot s700_800 10.24 (VVOS) BIND 4.9.7 components AND PHCO_27882: s700_800 10.24 (VVOS) libc HP-UX B.11.00 Bind 9.2.0 ======================== BIND-920 version B.11.00.01.001 or subsequent from http://software.hp.com. AND PHNE_27795 s700_800 11.00 libnss_dns HP-UX B.11.00 Bind 8.1.2 ======================== BIND812 version B.11.00.01.004 or subsequent from http://software.hp.com. AND PHNE_27795 s700_800 11.00 libnss_dns HP-UX B.11.00 Bind 4.9.7 ======================== **REVISED 14** --> PHNE_28449 s700_800 11.00 Bind 4.9.7 components AND PHNE_27795 s700_800 11.00 libnss_dns HP-UX B.11.04 ============= PHNE_28415 s700_800 11.04 (VVOS) Bind 4.9.7 components AND PHNE_27881 s700_800 11.04 (VVOS) libnss_dns DNS backend HP-UX B.11.11 Bind 9.2.0 ======================== BIND9.2.0 version 11.11.2.0.200209 or subsequent from http://software.hp.com. Note: 11.11.01.002 is subsequent to 11.11.2.0.200209. However, in order to install 11.11.01.002 on a system with 11.11.2.0.200209, the "-x allow_downdate=true" option to swinstall must be used. AND PHNE_27796 s700_800 11.11 libnss_dns Note: BIND9.2.0 version 11.11.2.0.200209 also corrects potential problems reported in CERT advisory CA-2002-23. HP-UX B.11.11 Bind 8.1.2 ======================== PHNE_28450 s700_800 11.11 Bind-8.1.2 patch AND PHNE_27796 s700_800 11.11 libnss_dns HP-UX B.11.22 ============= PHNE_28490 s700_800 11.22 Bind 9.2.0 components AND PHNE_27842.depot s700_800 11.22 libnss_dns DNS backend patch Note: The files mentioned below can be downloaded from the following site. This site is temporary and will be removed when the fixes become available from the itrc. System: hprc.external.hp.com (192.170.19.51) Login: bind Password: bind1 FTP Access: ftp://bind:bind1@hprc.external.hp.com/ or: ftp://bind:bind1@192.170.19.51/ file: upgrade_bind812_v4.depot.gz Note: There is an ftp defect in IE5 that may result in a browser hang. To work around this: - Select Tools -> Internet Options -> Advanced - Un-check the option: [ ] Enable folder view for FTP sites Download and install the appropriate preliminary patch from the ftp site listed above: PHNE_27792.depot s700_800 10.10/10.20 Bind 4.9.7 components --> Note: PHNE_27792 is also available as as site specific patch --> from HP Response Centers. PHNE_27879.depot s700_800 10.24 (VVOS) BIND 4.9.7 components PHNE_28415 s700_800 11.04 (VVOS) Bind 4.9.7 components PHNE_27842.depot s700_800 11.22 libnss_dns DNS backend patch Note: If you wish to verify the md5 sum and you do not have a copy of md5, please refer to: HPSBUX9408-016 Patch sums and the MD5 program Note: Using your itrc account security bulletins can be found here: http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin MD5 (PHNE_27792.depot) = 613aa5827f0b4df4f51188857b5834d0 cksum 4143672841 696320 PHNE_27792.depot MD5 (PHNE_27879.depot) = 90a570964b5cf48dadcd427f69bfdd16 cksum 2889539873 747520 PHNE_27879.depot MD5 (PHNE_28415) = b07cd934bdcac2bf9cdfcbb2b44644de cksum 1939013995 973906 PHNE_28415 MD5 (PHNE_27842.depot) = 79958aa9fdd13614c0564ef60e121ba9 cksum 73665367 266240 PHNE_27842.depot Note: On 10.10 and 10.20 the DNS API is contained in libc. Programs which make DNS calls and are linked with libc.a must be relinked. Programs which are linked with ".a" libraries are statically linked. Statically linked programs may be tested as follows: strings -a suspect_program | grep "Too many addresses (%d)" If the program contains the string it may make DNS API calls and should be relinked with the fixed version of libc.a. Download libc.1.1010 and libc.a.1010 from the ftp site mentioned above. MD5 (libc.1.1010) = 87be3ba33250be16ad39345ed38f9875 cksum 1642516484 1716224 libc.1.1010 MD5 (libc.a.1010) = b680e1861a4b3ea4fc8fe55da63d62d2 cksum 4179986886 2280612 libc.a.1010 Install on B.10.10 as follows: 1. Go to init state 2. Copy libc.1.1010 and libc.a.1010 to a secure directory such as /. 2. cd /usr/lib /usr/sbin/cp libc.1 libc.1.orig /usr/sbin/cp /libc.1.1010 libc.1 /usr/sbin/cp libc.a libc.a.orig /usr/sbin/cp /libc.a.1010 libc.a 3. Reboot the system. ----------------------------------------------------------------- C. To subscribe to automatically receive future NEW HP Security Bulletins from the HP IT Resource Center via electronic mail, do the following: Use your browser to get to the HP IT Resource Center page at: http://itrc.hp.com Use the 'Login' tab at the left side of the screen to login using your ID and password. Use your existing login or the "Register" button at the left to create a login, in order to gain access to many areas of the ITRC. Remember to save the User ID assigned to you, and your password. In the left most frame select "Maintenance and Support". Under the "Notifications" section (near the bottom of the page), select "Support Information Digests". To -subscribe- to future HP Security Bulletins or other Technical Digests, click the check box (in the left column) for the appropriate digest and then click the "Update Subscriptions" button at the bottom of the page. or To -review- bulletins already released, select the link (in the middle column) for the appropriate digest. NOTE: Using your itrc account security bulletins can be found here: http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin To -gain access- to the Security Patch Matrix, select the link for "The Security Bulletins Archive". (near the bottom of the page) Once in the archive the third link is to the current Security Patch Matrix. Updated daily, this matrix categorizes security patches by platform/OS release, and by bulletin topic. Security Patch Check completely automates the process of reviewing the patch matrix for 11.XX systems. For information on the Security Patch Check tool, see: http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/ displayProductInfo.pl?productNumber=B6834AA The security patch matrix is also available via anonymous ftp: ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/ On the "Support Information Digest Main" page: click on the "HP Security Bulletin Archive". D. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. ---------------------------------------------------------------- (c)Copyright 2003 Hewlett-Packard Company Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of HP products referenced herein are trademarks and/or service marks of Hewlett-Packard Company. Other product and company names mentioned herein may be trademarks and/or service marks of their respective owners. ________________________________________________________________ - -----BEGIN PGP SIGNATURE----- Version: PGP Personal Security 7.0.3 iQA/AwUBP0EiUOAfOvwtKn1ZEQLucQCgie5F5A6MEjlfabftNAcmsMIvaP4AoNe+ 6DMFhtj3vVdf5wXGcxBO0fI7 =pnaa - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBP0LU/Ch9+71yA2DNAQHrogP6A4ZyuVKn2qh6jstDGk6KWfitCe3l46VV mjI7W2YToccB/5h5F2lX95vpmidwfPuY4byJgnKDAIBieufUfh6p/sDGSy+0zQIy trw06yhOhnHr2ozUILc4HJKS3xlBqGUX0Ls+uTtzZNkKakfo+OJuu+47UeSUj4Z0 bcGbQ9HnHgg= =O5W3 -----END PGP SIGNATURE-----