Hewlett-Packard Co. is warning Tru64 administrators of "highly critical" vulnerabilities that could lead to local or remote unauthorized system access or denial of service. HP has released patches for both flaws.
HP has declined to specify the nature of the vulnerabilities, except to say that they are in HP's implementation of IPSec and SSH.
The locations of the vulnerabilities are ironic, in that both IPSec and SSH are intended to provide security features to operating systems. IPSec is used to create encrypted, secure VPN tunnels for passing information between IP-based systems. SSH (Secure Shell) offers secure versions of network commands including rsh, rlogin and rcp, and applications such as telnet and ftp. Users commonly employ SSH to log-in to and execute commands on remote computers securely, as well as establish secure communications between two computers.
Affected versions of HP Tru64 UNIX include V5.1B PK2 (BL22) and PK3 (BL24), and V5.1A running IPSec and SSH software kits earlier than IPSec 2.1.1 and SSH 3.2.2. The vulnerabilities are not present in IPSec version 2.1.1 and SSH version 3.2.2.
HP Tru64 UNIX, which runs on the inherited AlphaServer line, is in the process of being replaced by HP-UX. Tru64 has exhibited vulnerability issues before, including privilege escalation, denial of service and specific issues with SSH in August 2003.
FOR MORE INFORMATION: