U radu programskih paketa HP Integrated Lights-Out iLO2 i iLO3 uočena su tri sigurnosna propusta. Napadači ih mogu iskoristiti za izvođenje DoS napada i neovlaštenu izmjenu podataka.
Paket:
HP Integrated Lights-Out 2 (iLO 2) 2.x, HP Integrated Lights-Out 3 (iLO 3) 1.x
Operacijski sustavi:
HP-UX 10.x, HP-UX 11.x
Kritičnost:
4.5
Problem:
pogreška u programskoj funkciji, pogreška u programskoj komponenti
Iskorištavanje:
lokalno/udaljeno
Posljedica:
izmjena podataka, uskraćivanje usluga (DoS)
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2008-7270, CVE-2009-3555, CVE-2010-4180
Izvorni ID preporuke:
HPSBHF02706
Izvor:
Hewlett Packard
Problem:
Propusti su posljedica pogrešaka koje se očituju kad je uključena opcija "SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG" te neodgovarajuće provjere povratne vrijednosti funkcije "bn_wexpand()".
Posljedica:
Zlonamjernim korisnicima propusti omogućuju izvođenje DoS napada te izmjenu pojedinih podataka.
Rješenje:
Korisnicima se savjetuje instalacija odgovarajućih zakrpa.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03024266
Version: 1
HPSBHF02706 SSRT100613 rev.1 - HP Integrated Lights-Out iLO2 and iLO3 running SSL/TLS, Denial of Service (DoS), Unauthorized Modification
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-11-07
Last Updated: 2011-11-07
Potential Security Impact: Denial of Service (DoS), unauthorized modification
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Integrated Lights-Out iLO2 and iLO3 running SSL/TLS. The vulnerabilities could be remotely exploited to create a Denial of Service (DoS) or unauthorized modification.
References: SSRT100378, CVE-2008-7270, CVE-2009-3555, CVE-2010-4180
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Integrated Lights-Out 2 (iLO2) firmware versions 2.05 and earlier.
HP Integrated Lights-Out 3 (iLO3) firmware versions 1.16 and earlier.
BACKGROUND
For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
CVSS 2.0 Base Metrics
Reference
Base Vector
Base Score
CVE-2008-7270
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
4.3
CVE-2009-3555
(AV:N/AC:M/Au:N/C:N/I:P/A:P)
5.8
CVE-2010-4180
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
4.3
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has made the following Firmware updates available to resolve the vulnerabilities.
The latest firmware and installation instructions are available from the HP Business Support Center: http://www.hp.com/go/bizsupport
HP Integrated Lights-Out 2 (iLO2) Online ROM Flash Component for Linux and Windows v2.06 or subsequent.
HP Integrated Lights-Out 3 (iLO3) Online ROM Flash Component for Linux and Windows v1.20 or subsequent.
HISTORY
Version:1 (rev.1) 7 November 2011 Initial release
Posljednje sigurnosne preporuke