HP Servers Hit By Two Security Flaws

by CXOtoday Staff    Apr 15, 2004

Two security flaws have been uncovered in HP servers, one in its Internet Express, used with Tru64 servers, and a second in its authentication system OpenView.

The most serious of these vulnerabilities affects versions up to 2.6.2 of the software, delivered as part of Internet Express 6.2. It is caused by a boundary error in the S/KEY challenge handling procedure. It can be exploited by putting in over-long user details to create a buffer overflow after which a malicious program could be executed.

For this flaw, HP has released a patch available:

The company also admitted a “moderately critical” vulnerability in OpenView Operations, specifically in its authentication facility, affecting versions 7.x of OpenView for HP-UX and Solaris, as well as version 6.x of OpenView VantagePoint for the same two OSes.

For the second flaw, the patch is available:

A number of serious vulnerabilities have been found in the Washington University FTP daemon (WU-FTPD) - the replacement FTP daemon for Unix systems, which forms part of HP’s Internet Express, its collection of internet and administration software provided with Tru64 AlphaServer systems.

Tags: HP Servers