OpenSSL issues surface as multiple vulnerabilities in HP-UX's BIND

Edmund X. DeJesus, Contributing Writer

Hewlett-Packard is warning HP-UX administrators to install fixes for multiple vulnerabilities in BIND version 920 that could allow remote attackers to cause denial of service in affected systems.

Problems with OpenSSL (reported last October) are manifesting themselves as security vulnerabilities in

    Requires Free Membership to View

BIND version 920 of HP-UX

The vulnerabilities stem from parsing problems. For example, the parser automatically rejects some ASN.1 encodings as invalid, which causes errors in deallocating data structures and leads to stack corruption. The result can be denial of service, although execution of arbitrary code may also be possible.

Similarly, since the parser may incorrectly count input characters, a specially constructed SSL client certificate may cause OpenSSL to read past the end of a buffer and cause a denial of service.

A separate error in handling SSL and TLS protocols parses a client certificate even when not requested, leading to a denial of service.

The problem occurs in HP9000 servers running HP-UX versions B.11.00, B.11.11 and B.11.22, if BIND version 920 is installed. HP has provided separate fixes for each version of HP-UX.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: