[security bulletin] HPSBUX02508 SSRT100007 rev.2 - HP-UX Running sendmail with STARTTLS Enabled, Remote Unauthorized Access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02009860 Version: 2 HPSBUX02508 SSRT17 rev.2 - HP-UX Running sendmail with STARTTLS Enabled, Remote Unauthorized Access NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2010-04-20 Last Updated: 2010-04-20 Potential Security Impact: Remote unauthorized access Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX running sendmail and STARTTLS enabled. This vulnerability could allow a user to gain remote unauthorized access. References: CVE-2009-4565 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23 and B.11.31 running sendmail 8.13.3 with STARTTLS enabled. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2009-4565(AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following upgrades to resolve the vulnerability. The updates are available from http://software.hp.com. HP-UX Release / Sendmail version / Action B.11.11 / 8.13.3 / Upgrade to B.11.11.02.008 or subsequent B.11.23 / 8.13.3 / Upgrade to B.11.23.1.007 or subsequent B.11.31 / 8.13.3 / Upgrade to C.8.13.3.5 or subsequent Note: Installations of HP-UX B.11.11 running sendmail 8.11.1 should upgrade to sendmail 8.13.3 or subsequent. This Sendmail 8.13.3 Special Release Upgrade is available for download from http://software.hp.com Go to Internet ready and networking Sendmail 8.13.3 Special Release Upgrade Note: To identify a system in a vulnerable configuration: 1. Log on to the HP-UX system 2. Run .telnet localhost 25. 3. Enter .ehlo xyz. 4. Search the output for .250-STARTTLS. 5. If .250-STARTTLS. is found, the system is in a vulnerable configuration It is recommended that the update be applied even if the system is not currently in a vulnerable configuration. Applying the update will eliminate the possibility of introducing the vulnerability by a configuration change. MANUAL ACTIONS: Yes - Update B.11.11 - install SMAIL B.11.11.02.008 or subsequent B.11.23 - install SMAIL B.11.23.1.007 or subsequent B.11.31 - install SENDMAIL C.8.13.3.5 or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11 = SMAIL-UPGRADE.INETSVCS-SMAIL action: install B.11.11.02.008 or subsequent HP-UX B.11.23 = SMAIL-UPGRADE.INET-SMAIL SMAIL-UPGRADE.INET2-SMAIL action: install B.11.23.1.007 or subsequent HP-UX B.11.31 = Sendmail.SENDMAIL-AUX Sendmail.SENDMAIL-RUN action: install C.8.13.3.5 or subsequent END AFFECTED VERSIONS HISTORY Version: 1 (rev.1) - 24 March 2010 Initial release Version: 2 (rev.2) - 20 April 2010 Updated revisions for download and download location. Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-al...@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NAlangcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously
[security bulletin] HPSBUX02508 SSRT100007 rev.2 - HP-UX Running sendmail with STARTTLS Enabled, Remote Unauthorized Access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02009860 Version: 2 HPSBUX02508 SSRT17 rev.2 - HP-UX Running sendmail with STARTTLS Enabled, Remote Unauthorized Access NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2010-04-20 Last Updated: 2010-04-20 Potential Security Impact: Remote unauthorized access Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX running sendmail and STARTTLS enabled. This vulnerability could allow a user to gain remote unauthorized access. References: CVE-2009-4565 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23 and B.11.31 running sendmail 8.13.3 with STARTTLS enabled. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2009-4565(AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following upgrades to resolve the vulnerability. The updates are available from http://software.hp.com. HP-UX Release / Sendmail version / Action B.11.11 / 8.13.3 / Upgrade to B.11.11.02.008 or subsequent B.11.23 / 8.13.3 / Upgrade to B.11.23.1.007 or subsequent B.11.31 / 8.13.3 / Upgrade to C.8.13.3.5 or subsequent Note: Installations of HP-UX B.11.11 running sendmail 8.11.1 should upgrade to sendmail 8.13.3 or subsequent. This Sendmail 8.13.3 Special Release Upgrade is available for download from http://software.hp.com Go to Internet ready and networking Sendmail 8.13.3 Special Release Upgrade Note: To identify a system in a vulnerable configuration: 1. Log on to the HP-UX system 2. Run .telnet localhost 25. 3. Enter .ehlo xyz. 4. Search the output for .250-STARTTLS. 5. If .250-STARTTLS. is found, the system is in a vulnerable configuration It is recommended that the update be applied even if the system is not currently in a vulnerable configuration. Applying the update will eliminate the possibility of introducing the vulnerability by a configuration change. MANUAL ACTIONS: Yes - Update B.11.11 - install SMAIL B.11.11.02.008 or subsequent B.11.23 - install SMAIL B.11.23.1.007 or subsequent B.11.31 - install SENDMAIL C.8.13.3.5 or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11 = SMAIL-UPGRADE.INETSVCS-SMAIL action: install B.11.11.02.008 or subsequent HP-UX B.11.23 = SMAIL-UPGRADE.INET-SMAIL SMAIL-UPGRADE.INET2-SMAIL action: install B.11.23.1.007 or subsequent HP-UX B.11.31 = Sendmail.SENDMAIL-AUX Sendmail.SENDMAIL-RUN action: install C.8.13.3.5 or subsequent END AFFECTED VERSIONS HISTORY Version: 1 (rev.1) - 24 March 2010 Initial release Version: 2 (rev.2) - 20 April 2010 Updated revisions for download and download location. Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-al...@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NAlangcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously