|
|
Home : Advisories : Security Vulnerabilities in HP Remote Watch
| Title: |
Security Vulnerabilities in HP Remote Watch |
| Released by: |
HP |
| Date: |
24th October 1996 |
| Printable version: |
Click here |
===============================================================================
Document Id: [HPSBUX9610-039]
Date Loaded: [10-24-96]
Description: Security Vulnerabilities in HP Remote Watch
===============================================================================
- -------------------------------------------------------------------------
HEWLETT-PACKARD SECURITY ADVISORY: #000039, 24 October 1996
- -------------------------------------------------------------------------
Hewlett-Packard recommends that the information in the following
Security Advisory should be acted upon as soon as possible. Hewlett-
Packard will not be liable for any consequences to any customer
resulting from customer's failure to fully implement instructions in this
Security Advisory as soon as possible.
Permission is granted for copying and circulating this advisory to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the advisory is
not edited or changed in any way, is attributed to HP, and provided such
reproduction and/or distribution is performed for non-commercial
purposes.
Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.
_______________________________________________________________________
PROBLEM: Vulnerability in HP Remote Watch in 9.X releases of HP-UX
PLATFORM: HP 9000 series 300/400/700/800s
DAMAGE: Vulnerabilities in HP Remote Watch exists allowing users to
gain additional privileges.
SOLUTION: Do not use Remote Watch.
_______________________________________________________________________
I. Remote Watch Update
A. Problem description
A recent mailing list disclosure described two vulnerabilities in
which HP Remote Watch allows unauthorized root access. The first was
via a socket connection on port 5556. The second was as a result of
using the showdisk utility, which is part of the Remote Watch product.
It has been found that HP9000 Series 300, 400, 700, and 800 systems
running only HP-UX Release 9.X have this vulnerability.
B. Fixing the problem
This vulnerability can only be eliminated from releases 9.X of HP-UX
which are using Remote Watch by disabling the entire product. The
default location for this product is /usr/remwatch/ .
Removal can be accomplished (as root) with the following:
NOTE: Do not run the standard rmfn command as HP has discovered
problems with its inability to handle programs with active executables.
Instead, run (with no options):
/usr/remwatch/bin/removeall
This runs a Remote Watch script called "unconfigure" to stop actively
running programs, then proceeds to remove all files including the
filesets.
The administrator should also perform both of the following steps:
1. Remove or comment out the following entry in /etc/inetd.conf
file:
rwdaemon stream tcp nowait root /usr/remwatch/bin/rwdaemon rwdaemon
2. Have inetd re-read its configuration file by executing at the
prompt:
inetd -c
This is the official recommendation from Hewlett-Packard Company.
C. Current product status
Remote Watch was last released from the labs in August of 1993.
In December 1994 customers were informed of pending product
obsolescence. Hewlett-Packard recommends that all customers
concerned with the security of their HP-UX systems with Remote
Watch configured on it perform the actions described herein as
soon as possible. Again, no patches will be available for any
versions of HP-UX.
Since the functionality of HP Remote Watch software has now been
replicated in other tools that handle system management more
effectively there is no longer a sufficient need for HP Remote
Watch. Most of the functionality is now provided by the Systems
Administration Manager (SAM) tool, available at no charge as part
of the HP-UX operating system, or by the HP OpenView
OperationsCenter application.
If further assistance is desired please contact your HP Support
Representative.
D. HP SupportLine
To subscribe to automatically receive future NEW HP Security
Bulletins from the HP SupportLine mail service via electronic mail,
send an email message to:
support@us.external.hp.com (no Subject is required)
Multiple instructions are allowed in the TEXT PORTION OF THE MESSAGE,
here are some basic instructions you may want to use:
To add your name to the subscription list for new security bulletins,
send the following in the TEXT PORTION OF THE MESSAGE:
subscribe security_info
To retrieve the index of all HP Security Bulletins issued to date,
send the following in the TEXT PORTION OF THE MESSAGE:
send security_info_list
To get a patch matrix of current HP-UX and BLS security patches
referenced by either Security Bulletin or Platform/OS, put the
following in the text portion of your message:
send hp-ux_patch_matrix
World Wide Web service for browsing of bulletins is available via
our URL:
http://us.external.hp.com
Choose "Support news", then under Support news,
choose "Security Bulletins"
E. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt exploit information using the security-alert PGP
key, available from your local key server, or by sending a
message with a -subject- (not body) of 'get key' (no quotes) to
security-alert@hp.com.
_______________________________________________________________________
|
