HPSBUX02509 SSRT100032 rev.1 - HP-UX Running NFS/ONCplus, NFS Inadvertently Enabled

HPSBUX02509 SSRT100032 rev.1 - HP-UX Running NFS/ONCplus, NFS Inadvertently Enabled

Post by secur » Sat, 27 Mar 2010 05:56:19


----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c02026642
Version: 1

HPSBUX02509 SSRT100032 rev.1 - HP-UX Running NFS/ONCplus, NFS Inadvertently Enabled

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2010-03-25
Last Updated: 2010-03-25

- -------------------------------------------------------------------------------

Potential Security Impact: NFS inadvertently enabled

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with NFS/ONCplus running on HP-UX. The vulnerability could result in the inadvertent enabling of NFS.

References: CVE-2010-0451

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.31 running NFS / ONCplus version B.11.31_08 or previous

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2010-0451 (AV:N/AC:H/Au:N/C:P/I:P/A:N) 4.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

RESOLUTION

Installing ONCplus will result in having NFS_SERVER=1 in /etc/rc.config.d/nfsconf regardless of the original setting. This can result in inadvertently enabling NFS.

HP has provided an upgrade to resolve this vulnerability.
This upgrade is available from the following location.

URL http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ONCplus

HP-UX Release / Depot name

B.11.31 / Install ONCplus_B.11.31.09.depot or subsequent

MANUAL ACTIONS: Yes - Update

Install ONCplus_B.11.31.09.depot to preserve NFS_SERVER value when updating.
Check and correct NFS_SERVER and NFS_CLIENT values.

PRODUCT SPECIFIC INFORMATION

HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa

The following text is for use by the HP-UX Software Assistant.

AFFECTED VERSIONS

HP-UX B.11.31 (IA)
==================
NFS.KEY-CORE
NFS.NFS-64ALIB
NFS.NFS-64SLIB
NFS.NFS-CLIENT
NFS.NFS-CORE
NFS.NFS-KRN
NFS.NFS-PRG
NFS.NFS-SERVER
NFS.NFS-SHLIBS
NFS.NFS2-CLIENT
NFS.NFS2-CORE
NFS.NFS2-PRG
NFS.NFS2-SERVER
NFS.NIS-CLIENT
NFS.NIS-CORE
NFS.NIS-SERVER
NFS.NIS2-CLIENT
NFS.NIS2-CORE
NFS.NIS2-SERVER
action: install revision B.11.31.09 or subsequent

END AFFECTED VERSIONS

HISTORY
Version:1 (rev.1) 25 March 2010 Initial release

Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported product, send Email to: XXXX@XXXXX.COM
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail me
 
 
 

1. HPSBUX02653 SSRT100310 rev.1 - HP-UX Running NFS/ONCplus, Remote Denial of Service (DoS)

2. HPSBUX02523 SSRT100036 rev.1 - HP-UX Running ONCPlus, Remote Denial of Service (DoS), Increase in Privilege

NetStatsBaseball (NSB) is a simulation of Major League Baseball and is
downloadable from http://www.yqcomputer.com/

Major changes include:
. implemented processing to handle team ties at ends of seasons
. added user preference settings
. added ability to create/edit teams
. added 2009 real life data
. tiredness factor for pitchers introduced
. improved leaders display for percentage categories (batting
average,
earned run average, etc) NOTE - if upgrading from a previous
version
of NetStatsBaseball all Records files need to be removed before
running
this version (see the INSTALL file)
. fixed printing bug with multiple stats windows open
. improved input data
. corrected 1936 Philadelphia Phillies data
. added the ability to play audio via sox (play) if installed

3. Use Linux as NFS client with HP-UX 10.20 NFS server problem

4. HP-UX 11.0 NFS Clients w/ RH Enterprise WS 3.0 NFS server

5. HP-UX NFS problems with Solaris ZFS/NFS server

6. HPSBUX02508 SSRT100007 rev.2 - HP-UX Running sendmail with STARTTLS Enabled, Remote Unauthorized Access

7. HPSBUX02514 SSRT100010 rev.1 - HP-UX running AudFilter rules enabled, Local Denial of Service (DoS)

8. HPSBUX02508 SSRT100007 rev.2 - HP-UX Running sendmail with STARTTLS Enabled, Remote Unauthorized Access

9. HPSBUX02514 SSRT100010 rev.1 - HP-UX running AudFilter rules enabled, Local Denial of Service (DoS)

10. HPSBUX02330 SSRT080053 rev.1 - HP-UX Running LDAP-UX, Local Unauthorized Access

11. HPSBUX02157 SSRT061220 rev.1 HP-UX Running Ignite-UX Server, Remote Unauthorized Access and Privilege Elevation

12. HPSBUX02287 SSRT071485 rev.1 - HP-UX Running HP Secure Shell, Remotely Gain Extended Privileges