OpenSSL issues surface as multiple vulnerabilities in HP-UX's BIND

By Edmund X. DeJesus, Contributing Writer 11 Feb 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Hewlett-Packard is warning HP-UX administrators to install fixes for multiple vulnerabilities in BIND version 920 that could allow remote attackers to cause denial of service in affected systems.

Problems with OpenSSL (reported last October) are manifesting themselves as security vulnerabilities in BIND version 920 of HP-UX

The vulnerabilities stem from parsing problems. For example, the parser automatically rejects some ASN.1 encodings as invalid, which causes errors in deallocating data structures and leads to stack corruption. The result can be denial of service, although execution of arbitrary code may also be possible.

Similarly, since the parser may incorrectly count input characters, a specially constructed SSL client certificate may cause OpenSSL to read past the end of a buffer and cause a denial of service.

A separate error in handling SSL and TLS protocols parses a client certificate even when not requested, leading to a denial of service.

The problem occurs in HP9000 servers running HP-UX versions B.11.00, B.11.11 and B.11.22, if BIND version 920 is installed. HP has provided separate fixes for each version of HP-UX.

Tags: Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management What patch management metrics does Project Quant use? Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary