Want to learn about the SecurityTracker archives? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
(Patch for Tru64 Unix) Re: Nearly All of Compaq's Web-Enabled Management Software Inadvertently Acts As a Web Proxy Server, Allowing Web Surfers to Bypass Normal Proxy Server Filtering
|
Date: Apr 7 2001 03:16 (UTC/GMT)
|
Impact: Host/resource access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Description: Compaq has issued a security advisory (SSRT0715) covering nearly all of their web-enabled management software. The vulnerability allows their software to inadvertently act as a generic web proxy server.
Compaq web-enabled management software can act as a generic web proxy server. Internal traffic going out to the Internet can bypass
normal proxy server filtering by using the Compaq web-enabled management software at TCP port 2301 on the proxy server system.
If this port number is exposed to the Internet with no firewall protection, then external traffic may be able to infiltrate internal
networks using the Compaq software as a go-between.
This vulnerability affects the software running on the following operating
systems:
Microsoft Windows 9x, NT and 2000, NetWare, SCO Open Server 5, SCO UnixWare 7, RedHat 6.2 and 7.0, Tru64Unix and OpenVMS.
|
Impact: A user can use the Compaq web-enabled management software to bypass proxy server filtering software (where proxy servers are deployed).
If port 2301 on the proxy server is exposed to the Internet, then external traffic may be able to access internal networks.
|
Solution: The vendor has released a patch for the management agents on the Compaq Tru64 Unix platform. See:
http://ftp.support.compaq.com/patches/public/unix/v4.0f/mupssrt0715u_cpqim_01.README
|
Vendor URL: www.compaq.com/manage/security (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Unix (Tru64)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Message Contents
|
Date: Fri, 6 Apr 2001 17:42:30 -0600
From: Elias Levy <aleph1@SECURITYFOCUS.COM>
Subject: Compaq Management Agents for Tru64 UNIX
|
Date: Fri, 6 Apr 2001 17:30:45 -0600
From: system PRIVILEGED account <root@nfsserver.support.compaq.com>
To: "Unix Patch Mailing List" <unix@list.support.compaq.com>
Subject: Compaq Management Agents for Tru64 UNIX
Reply-To: ECO-Queries@compaq.com
*******************************************************************************
* *
* This is an update to an existing patch... *
* *
* Online links can be found at *
* http://ftp.support.compaq.com/patches/public/unix/v4.0f/mupssrt0715u_cpqim_01.README
*******************************************************************************
TITLE: Compaq Management Agents for Tru64 UNIX
PATCH IDENTIFICATION: MUPssrt0715u_cpqim_01
CATEGORY: Software Update
OPERATING SYSTEM: Tru64 UNIX V4.0f, 4.0g, 5.0, 5.0a and 5.1
EFFECTIVE DATE: 4/05/2001
ELECTRONIC DISTRIBUTION ALLOWED: Yes
DESCRIPTION:
This is a Mandatory software update which contains a new version of the
Compaq Management Agents for Tru64 UNIX. This Patch Kit supercedes
the MUPssrt0705_cpqim patch kit for Tru64 UNIX.
Enhancements/Fixes:
This Security Advisory addresses a potential security vulnerability in
Compaq web-enabled software, which can act a generic proxy server. Internal
traffic going out to the Internet can bypass a normal proxy server filtering
by using TCP/IP port 2301 and external traffic may be able to infiltrate
internal networks if there is no additional firewall protection.
Compaq strongly recommend that web-enabled agents and utilities are deployed
only in private networks and are not used on the open Internet or on systems
outside the bounds of the firewall. The implementation of sound security
practices, which includes disabling access to non-essential ports, such as
the Compaq Management ports :2301 and :280, should help to protect customers
from external malicious attacks. Compaq also recommends that strong passwords
are used and are changed regularly.
WARNING:
THIS KIT MUST BE RE-INSTALLED FOLLOWING AN OS UPDATE TO TRU64 UNIX V4.0F,
4.0G, 5.0, 5.0A, OR 5.1. FAILURE TO DO SO WILL RESULT IN THE INTRODUCTION
OF THE SSRT0705 and SSRT0715 SECURITY VULNERABILITIES.
Instructions on how to apply this software update
-------------------------------------------------
The software update is in a file (MUPssrt0715u_cpqim_01.tar) which contains
an updated version of the agents in setld format.
The goal will be for an administrator to download the software update from
this FTP site, copy it to the target Tru64 UNIX System and extract the files.
If you are applying this patch to a cluster, perform the steps below on one
cluster member only, providing that all members are running.
The following steps provide detailed instructions:
Step 1: As super user (root) create a temporary directory on the target
Tru64 UNIX Alpha System, ie: /usr/tmp/patch
Download the tar file into that directory.
Step 2: Uncompress and extract the target files
# cd /usr/tmp/patch
# /usr/bin/tar xvf MUPssrt0715u_cpqim_01.tar
A directory named cpqim222 will be extracted. It contains the setld
kit files.
Step 3: Install the setld kit:
# /usr/sbin/setld -l cpqim222
Step 4: Follow the setld instructions.
Step 5: When the installation is complete, delete the temporary subdirectory
on the target server.
# rm -r /usr/tmp/patch
============================================================================
Copyright 2001, Compaq Computer Corporation. All rights reserved.
Compaq does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently,
Compaq will not be responsible for any damages resulting from
user's use or disregard of the information provided in this
document.
Product names mentioned herein may be trademarks and/or registered
trademarks of their respective companies.
|
|
Go to the Top of This SecurityTracker Archive Page
|
