NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > HP/HP-UX Digests> 2004-q2

General Software Products security bulletins digest

From: IT Resource Center (support_feedbackus-support2-mail.external.hp.com)
Date: Wed Apr 14 2004 - 01:23:06 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

HP Support Information Digests

===============================================================================
o Security Bulletin Digest Split
------------------------------

   The security bulletins digest has been split into multiple digests
   based on the operating system (HP-UX, MPE/iX, and HP Secure OS
   Software for Linux). You will continue to receive all security
   bulletin digests unless you choose to update your subscriptions.

   To update your subscriptions, use your browser to access the
   IT Resource Center on the World Wide Web at:

http://support.itrc.hp.com/

   Under the Maintenance and Support Menu, click on the "more..." link.
   Then use the 'login' link at the left side of the screen to login
   using your IT Resource Center User ID and Password.

Under the notifications section (near the bottom of the page), select
Support Information Digests.

   To subscribe or unsubscribe to a specific security bulletin digest,
   select or unselect the checkbox beside it. Then click the
   "Update Subscriptions" button at the bottom of the page.

o IT Resource Center World Wide Web Service
---------------------------------------------------

   If you subscribed through the IT Resource Center and would
   like to be REMOVED from this mailing list, access the
   IT Resource Center on the World Wide Web at:

http://support.itrc.hp.com/

   Login using your IT Resource Center User ID and Password.
   Then select Support Information Digests (located under
   Maintenance and Support). You may then unsubscribe from the
   appropriate digest.
===============================================================================

Digest Name: daily General Software Products security bulletins digest
Created: Wed Apr 7 7:05:07 EDT 2004

Table of Contents:

Document ID Title
--------------- -----------
HPSBGN01009 SSRT4726 rev.0 Carrier Grade Invalid LAN Management Configurat

The documents are listed below.
-------------------------------------------------------------------------------

Document ID: HPSBGN01009
Date Loaded: 20040405
Title: SSRT4726 rev.0 Carrier Grade Invalid LAN Management Configuration

HPSBGN01009_0 SSRT4726 rev.0 Carrier Grade Invalid LAN Management Configuration

BODY {COLOR: black;
background-color : White}

TABLE {COLOR: black;
  FONT-FAMILY: Verdana, Arial, Helvetica;
  FONT-SIZE: 10pt;
  TEXT-DECORATION: none}

.TblPad5 {PADDING-RIGHT: 0pt;
  PADDING-LEFT: 0pt;
  PADDING-BOTTOM: 5pt;
  PADDING-TOP: 5pt;}

.TblPad4 {PADDING-RIGHT: 0pt;
  PADDING-LEFT: 0pt;
  PADDING-BOTTOM: 4pt;
  PADDING-TOP: 4pt;}

.v14br {color : Red;
  font-family : Verdana, Arial, Helvetica, sans-serif;
  font-size : 14pt;
  font-style : italic;
  font-weight : bold}

.v12b {color : Black;
  font-family : Verdana, Arial, Helvetica, sans-serif;
  font-size : 12pt;
  font-style : normal;
  font-weight : bold}

.v12br {color : Red;
  font-family : Verdana, Arial, Helvetica, sans-serif;
  font-size : 12pt;
  font-style : italic;
  font-weight : bold}

.v11br {color : Red;
  font-family : Verdana, Arial, Helvetica, sans-serif;
  font-size : 11pt;
  font-style : italic;
  font-weight : bold}

.v11bb {font-family : Verdana, Arial, Helvetica, sans-serif;
  font-size : 11pt;
  color : black;
  font-style : normal;
  font-weight : bold}

.v10b {color : Black;
  font-family : Verdana, Arial, Helvetica, sans-serif;
  font-size : 10pt;
  font-style : normal;
  font-weight : bold}

.v9 {font-family : Verdana, Arial, Helvetica, sans-serif;
  font-size : 9pt;
  color : Red;
  font-style : normal}

.v9b {font-family : Verdana, Arial, Helvetica, sans-serif;
  font-size : 9pt;
  color : Red;
  font-style : normal;
  font-weight : bold}

.v8b {color : Black;
  font-family : Verdana, Arial, Helvetica, sans-serif;
  font-size : 8pt;
  font-style : normal;
  font-weight : bold}

.v8 {color : Black;
  font-family : Verdana, Arial, Helvetica, sans-serif;
  font-style : normal;
  font-weight : normal}

.v75 {color: Black;
font-family : Verdana, Arial, Helvetica, sans-serif;
font-size : 7.5pt}

H1 {font-family: Verdana;
text-transform: uppercase;
font-weight: bold;
font-size:10pt;
position:relative;
MARGIN-TOP: 8pt;
MARGIN-BOTTOM: 0pt;}

H2 {font-family: Verdana;
text-transform: capitalize;
font-weight: bold;
font-size: 10pt;
position:relative;
MARGIN-TOP: 8pt;
MARGIN-BOTTOM: 0pt;}

H3 {font-family: Verdana;
text-transform: capitalize;
font-weight: normal;
font-size: 10pt;
position:relative;
MARGIN-TOP: 8pt;
MARGIN-BOTTOM: 0pt;}

H4 {font-family: Verdana;
font-weight: normal;
font-size: 10pt;
position:relative;
MARGIN-TOP: 8pt;
MARGIN-BOTTOM: 0pt;}

H5 {font-family: Verdana;
font-weight: normal;
font-size: 10pt;
position:relative;
MARGIN-TOP: 8pt;
MARGIN-BOTTOM: 0pt;}

H6 {font-family: Verdana;
font-weight: normal;
font-size: 10pt;
position:relative;
MARGIN-TOP: 8pt;
MARGIN-BOTTOM: 0pt;}

                                HP SECURITY BULLETIN

                                        HPSBGN01009     REVISION: 0





                                SSRT4726 rev.0 Carrier Grade Invalid LAN Management Configuration

                                NOTICE:  




                                        There are no restrictions for distribution of
                                        this Bulletin provided that it remains complete
                                        and intact.








                                        The information in this Security bulletin should
                                        be acted upon as soon as possible.

                                INITIAL RELEASE:  


                                05 April 2004 

                                POTENTIAL SECURITY IMPACT:  



                                        remote unauthorized access to offline utilities

                                SOURCE:  



                                        HEWLETT-PACKARD COMPANY
                                        HP Software Security Response Team

                                REFERENCES:  



                                        Intel Action Alert AA-679-1

                                VULNERABILITY SUMMARY:
                                A potential vulnerability has been identified with certain HP Carrier Grade Servers resulting in remote unauthorized access to certain offline utilities.




                                SUPPORTED SOFTWARE VERSIONS*:  ONLY impacted versions are listed.
                                N/A




                                BACKGROUND:
                                Dear HP Customer: Thank you for your continued reliance on Hewlett-Packard as your systems supplier. Hewlett-Packard (HP) is committed to delivering high quality products to our customers. Toward that goal, HP would like to advise you of an issue that could affect the behavior of certain HP Carrier Grade Servers. HP systems that are impacted: · hp carrier grade server cc2300 – A6898A, A6899A · hp carrier grade server cc3300 – A6900A, A6901A · hp carrier grade server cc3310 – A9862A, A9863A Intel has notified HP and other computer manufacturers of an issue with four Intel® server setup utilities per Intel Action Alert AA-679-1. · System Setup Utility (SSU) · Client System Setup Utility (CSSU) · Server Configuration Wizard (SCW) · CLI Auto-configuration Utility An invalid firmware setting is present after using Intel® server setup utilities to configure LAN management. This issue has the potential to affect sys
tem security, resulting in unauthorized access to certain offline utilities. If LAN Management is not enabled the system will not be affected by this issue. The problem has not been reported by any HP customers. However, because Intel is strongly committed to delivering high quality products, it has developed a utility to correct the invalid firmware settings. The BmcLanFix utility and instructions are listed at the following Intel web site. <http://support.intel.com/support/motherboards/server/sb/CS-010422.htm> HP and Intel strongly recommend that customers who enable LAN management download the BmcLanFix utility and run it to correct the invalid configuration on servers that have IPMI based LAN management enabled. This utility must be run whenever enabling LAN Management. Additionally, the utility must be reapplied whenever the configuration is saved while LAN Management is enabled. If you have questions or require help, please contact your local HP support rep
resentative or sales office. We appreciate your business and!
  look fo
rward to serving your future computing needs. Regards, Hewlett-Packard Company




                                RESOLUTION:
                                HP and Intel strongly recommend that customers who enable LAN management download the BmcLanFix utility and run it to correct the invalid configuration on servers that have IPMI based LAN management enabled. This utility must be run whenever enabling LAN Management. Additionally, the utility must be reapplied whenever the configuration is saved while LAN Management is enabled. The BmcLanFix utility and instructions are listed at the following Intel web site. <http://support.intel.com/support/motherboards/server/sb/CS-010422.htm>




                                Please write to security-alerthp.com to request a PGP signed
                                version of this bulletin.

                                        * The software product category that this Security Bulletin
                                        relates to is represented by the 5th and 6th characters of
                                        the Bulletin number: GN=General, MA=Management Agents,
                                        MI=Misc. 3rd party, MP=HP-MPE/iX, NS=HP NonStop Servers,
                                        OV=HP OpenVMS, PI=HP Printing & Imaging, ST=HP Storage,
                                        TU=HP Tru64 UNIX, TL=Trusted Linux, UX=HP-UX,
                                        VV=Virtual Vault

                                SUPPORT:
                                        For further information, contact HP Services support channel.





                                SUBSCRIBE:
                                        To initiate a subscription to receive future HP Security Bulletins via Email:


                                        http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC

                                        On the web page: Driver and Support Alerts/Notifications Sign-up: Product Selection

                                        Under Step1: your products

                                         1. Select product category: - a minimum of servers must be selected.
                                         2. Select product family or search: - a minimum of one product must be selected.
                                         3. Add a product: - a minimum of one product must be added.
                                        In Step 2: your operating system(s) - check ALL operating systems for which alerts are required.
                                        Complete the form and Save.

                                        To update an existing subscription:
                                        http://h30046.www3.hp.com/subSignIn.php
                                        Log in on the web page Subscriber’s choice for Business: sign-in.
                                        On the Web page: Subscriber’s Choice: your profile summary - use Edit Profile to update appropriate sections.

                                        Note: In addition to the individual alerts/notifications
                                        for the selected operating systems/products, subscribers will automatically receive
                                        one copy of alerts for non-operating system categories (i.e., a subscriber who
                                        signs up for all six operating system alerts will only receive one copy of all the non-operating
                                        system alerts).

                                REPORT:
                                        To report a potential security vulnerability
                                        with any HP supported product, send Email to:

                                        security-alerthp.com.
                                        It is strongly recommended
                                        that security related information being communicated
                                        to HP be encrypted using PGP, especially exploit
                                        information. To obtain the security-alert PGP key
                                        please send an e-mail message to security-alerthp.com
                                        with the Subject of 'get key' (no quotes).






                                        System management and security procedures must be reviewed
                                        frequently to maintain system integrity. HP is continually
                                        reviewing and enhancing the security features of software
                                        products to provide customers with current secure solutions.






                                        "HP is broadly distributing this Security Bulletin in
                                        order to bring to the attention of users of the affected
                                        HP products the important security information contained in
                                        this Bulletin. HP recommends that all users determine
                                        the applicability of this information to their individual
                                        situations and take appropriate action. HP does not warrant
                                        that this information is necessarily accurate or complete
                                        for all user situations and, consequently, HP will not
                                        be responsible for any damages resulting from user's use
                                        or disregard of the information provided in this Bulletin.
                                        To the extent permitted by law, HP disclaims all warranties,
                                        either express or implied, including the warranties of
                                        merchantability and fitness for a particular purpose, title
                                        and non-infringement."

        Hewlett-Packard Company shall not be liable for technical or
        editorial errors or omissions contained herein. The information
        provided is provided "as is" without warranty of any kind. To the
        extent permitted by law, neither HP or its affiliates, subcontractors
        or suppliers will be liable for incidental, special or consequential
        damages including downtime cost; lost profits; damages relating to
        the procurement of substitute products or services; or damages for
        loss of data, or software restoration. The information in this
        document is subject to change without notice. Hewlett-Packard Company
        and the names of Hewlett-Packard products referenced herein are
        trademarks of Hewlett-Packard Company in the United States and other
        countries. Other product and company names mentioned herein may be
        trademarks of their respective owners.
-----End of Document ID: HPSBGN01009-----------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]