Look what compaq figured out <grin> For Immediate Release 1 June 7, 1999 Compaq Computer Corporation Compaq Security Advisory Posted: June 7, 1999 Compaq Management Agent Security Vulnerability Summary As part of an ongoing concern about security and Internet technology, Compaq has identified a potential security hole in the web-enabled portion of Compaq Management Agents and the Compaq Survey Utility when installed as an agent. This security hole can allow read access to files whose location and filename are known or be used to terminate the process controlling the web agents. This affects the web component of Compaq Management Agents version 4.0 and greater and the Compaq Survey Utility version 2.0 and greater when installed as an agent. SNMP and DMI components without the web capability enabled are not affected. While there are no reports of customers being adversely affected by this vulnerability, Compaq is proactively releasing this bulletin to allow customers to take appropriate action to protect themselves against it. Issue The web component of Compaq Management Agents version 4.0 and greater and Compaq Survey Utility 2.0 and greater provide HTTP services to allow management information to be accessible through a web browser. Compaq has always advocated that these agents and utilities be deployed only in private networks and were not for use on the Internet or systems outside the bounds of a firewall. Because of this, Compaq believes that the primary threat is an internal one. These agents have been discovered to be vulnerable to a file read security hole which allows files whose location and name are known to be read on the file system on which the agents are installed and an overflow security hole that potentially terminates the web agent process. In some cases with Novell NetWare it has caused the server to stop responding. Affected Software Versions This affects the web component of all Compaq Management Agents 4.0 and greater running with Windows NT, Windows 9x, Windows 2000, NetWare and Tru64 Unix. Additionally affected is the Compaq Survey Utility 2.0 and greater when installed as an agent on Windows NT or NetWare. Agent software affected includes those installed on ProLiant and Prosignia servers (since May, 1998), AlphaServers with Windows NT (since October, 1998), AlphaServers with Tru64 Unix (since May, 1999), DIGITAL Intel Servers (since October, 1998), Professional Workstations (since May, 1998), Deskpro and Prosignia desktops (since September, 1998), and Armada and Prosignia portables (since September, 1998). A complete matrix can be found at the end of this document. Compaq Management Agents for SCO Unix, UnixWare and OpenServer, IBM OS/2 and Compaq OpenVMS are not affected in any way. What Compaq is doing Compaq is actively pursuing the testing and release of a software fix to the problem. This will be initially released as a new version 4.23b of the Server Management Agents and a new version 2.18 of the Survey Utility. The Client Management Agent which is pre-installed at the factory will become version 4.3. A SoftPAQ with the Client Management Agent 4.2C will be issued with the fix. -- Andrew Kunz Telecom Analyst Central Computing Facility TDIT Server Technology mailto:kunzaat_private phone (416) 983-9027 pager (416) 375-8427 4163758427at_private -------------------------------------------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:48:21 PDT