U radu programskog paketa HP Onboard Administrator uočeno je više sigurnosnih propusta koje zloćudni korisnici mogu iskoristiti za DoS napad, otkrivanje osjetljivih informacija i zaobilaženje postavljenih ograničenja.
Paket:
HP Onboard Administrator 3.x
Operacijski sustavi:
CentOS , Debian Linux 4.0 (etch), Debian Linux 5.0 (lenny), HP-UX 11.x, Microsoft Windows XP, Microsoft Windows Server 2003, Microsoft Windows Vista, Microsoft Windows Server 2008, Red Hat Enterprise Linux 3, Red Hat Enterprise Linux 4, Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, SUSE Linux Enterprise Server (SLES) 9, SUSE Linux Enterprise Server (SLES) 10, SUSE Linux Enterprise Server (SLES) 11, Ubuntu Linux 9.04, Ubuntu Linux 9.10, VMware ESX Server 3.x, VMware ESX Server 4.x, VMware ESXi 3.x, VMware ESXi 4.x
Kritičnost:
7.8
Problem:
pogreška u programskoj funkciji, pogreška u programskoj komponenti
Ranjivosti su povezane sa greškama u funkcijama "png_err" i "asn1_d2i_read_bio", komponenti "protocol.c", implementaciji protokola DTLS, SSL i OpenSSL, komponentama SGC (eng. Server Gated Cryptography) i CMS (eng. Cryptographic Message Syntax).
Posljedica:
Udaljeni zlonamjerni napadač može navedene propuste iskoristiti za napad uskraćivanjem usluga (eng. Denial of Service, DoS), pregled povjerljivih podataka i zaobilaženje određenih sigurnosnih ograničenja.
Rješenje:
Svim korisnicima ranjivog programskog paketa savjetuje se korištenje nove ispravne inačice.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03315912
Version: 1
HPSBMU02776 SSRT100852 rev.1 - HP Onboard Administrator (OA), Remote Unauthorized Access to Data, Unauthorized Disclosure of Information Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2012-06-07
Last Updated: 2012-06-07
Potential Security Impact: Remote unauthorized access to data, unauthorized disclosure of information, Denial of Service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Onboard Administrator (OA). The vulnerabilities could be exploited remotely resulting in unauthorized access to data, unauthorized disclosure of information, and Denial of Service (DoS).
References: CVE-2011-3192, CVE-2011-1473, CVE-2011-2691, CVE-2011-4108,
CVE-2011-4576, CVE-2011-4619, CVE-2012-0050, CVE-2012-0053, CVE-2012-0884,
CVE-2012-2110, CVE-2012-1583, SSRT100654, Nessus 53360
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Onboard Administrator (OA) up to and including v3.55
BACKGROUND
For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
CVSS 2.0 Base Metrics
Reference
Base Vector
Base Score
CVE-2012-0053
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
4.3
CVE-2012-0050
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
5.0
CVE-2011-4619
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
5.0
CVE-2011-4576
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
5.0
CVE-2011-4108
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
4.3
CVE-2011-3192
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
7.8
CVE-2011-2691
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
5.0
CVE-2011-1473
(AV:N/AC:M/Au:N/C:N/I:P/A:P)
5.8
CVE-2012-0884
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
5.0
CVE-2012-2110
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
7.5
CVE-2012-1583
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
7.8
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has made Onboard Administrator (OA) v3.56 or subsequent available to resolve the vulnerabilities.
Onboard Administrator (OA) v3.56 is available here:
http://www.hp.com/swpublishing/MTX-e41b71e6cfbe471dbd029deaab
HISTORY
Version:1 (rev.1) - 7 June 2012 Initial release
Posljednje sigurnosne preporuke