-------------------------------------------------------------------------
HEWLETT-PACKARD SECURITY BULLETIN: (MPE/iX) #00001, 20 March 95
-------------------------------------------------------------------------
The information in the following Security Bulletin should be acted
upon as soon as possible. Hewlett-Packard will not be liable for
any consequences to any customer resulting from customer's failure
to fully implement instructions in this Security Bulletin as soon
as possible.
_______________________________________________________________________
PROBLEM: Security vulnerability in the MPE/iX operating system
PLATFORM: HP3000 Series 900 systems running Release 4.0, Release 4.5, and
the 5.0 Limited Release of MPE/iX
DAMAGE: Users can gain additional privileges and/or special capabilities
SOLUTION: Update all systems to the General Release of MPE/iX 5.0, or
Apply patch MPEHX24A (MPE/iX Release 4.0 B.40.00), or
patch MPEHX24B (Limited Release MPE/iX 5.0 X.50.20)
FIX: The problem is fixed in the General Release of MPE/iX 5.0 (C.50.00)
AVAILABILITY: The 5.0 General Release and all patches are available now.
_______________________________________________________________________
A. Nature of the problem
It has been found that HP 3000 systems running MPE/iX Release 4.0
(B.40.00), Release 4.5 (C.45.00), and the Limited Release of
MPE/iX 5.0 (X.50.20) have a vulnerability that can be exploited by
users to gain additional privileges and/or capabilities, but only if
the users are already logged on to the system. This problem does not
permit a user to gain additional privileges by accident. However, a
user can exploit this vulnerability to gain System Manager (SM)
capability.
B. Fixing the problem
Hewlett-Packard recommends that you update your HP 3000 Series 900
computer systems to the General Release of MPE/iX 5.0 (C.50.00), as
this problem is fixed in that release. Updating to the 5.0 General
Release is the easiest and safest way to get the fix for this security
problem. Customers with HP System Support contracts should have
already received their shipments of the General Release of MPE/iX 5.0
(C.50.00).
However, if you feel that you cannot update to the 5.0 General
Release at this time, the proper corrective measure depends on which
release of MPE/iX your HP 3000 system is running.
The vulnerability can be eliminated from Release 4.0 and the Limited
Release of MPE/iX 5.0 by applying a patch, MPEHX24A/B. Release 4.5
(C.45.00) MUST be updated to the General Release of MPE/iX 5.0
(C.50.00), as no patch will be created for Release 4.5.
C. How to Install the Patch (for MPE/iX 4.0 & Limited Release MPE/iX 5.0)
1. Determine which patch is appropriate for your operating system release:
MPEHX24A for Series 900, MPE/iX 4.0 (B.40.00)
MPEHX24B for Series 900, Limited Release MPE/iX 5.0 (X.50.20)
2. Obtaining the patch.
If you have an HP System Support contract, you should be receiving a
security notification packet that includes a FAX-back form for
ordering the patches that fix the problems described in the following
three Security Bulletins -- HPSBMP9503-001, HPSBMP9503-002, and
HPSBMP9503-003.
If you do not have an HP System Support contract, you can obtain the
same patches by ordering MPE/iX SECURITY PATCH, Product Number B5116AA.
This product is available at no charge. When ordering the product,
you need to know which MPE/iX release you are patching and on what
media you want the patch delivered. The following chart shows the
two product options:
Option Table for Product Number B5116AA
1600BPI 6250BPI
Tape Tape DDS
|---------|---------|---------|
B.40.00 | 240,AA1 | 240,AA2 | 240,AAH |
|---------|---------|---------|
X.50.20 | 250,AA1 | 250,AA2 | 250,AAH |
|---------|---------|---------|
Phone numbers to HP Direct and other HP Country Sales offices have
been included at the end of this bulletin for your convenience.
3. Apply the patch to your MPE/iX system.
Installation instructions are included with the MPE/iX SECURITY PATCH
product.
NOTE: IF YOU DECIDE TO APPLY ONE OF THE TWO PATCHES MENTIONED
ABOVE RATHER THAN UPDATE YOUR HP 3000 TO THE GENERAL RELEASE OF
MPE/iX 5.0, YOU MUST RE-APPLY ALL MPE/iX PATCHES PREVIOUSLY INSTALLED
ON YOUR SYSTEM.
Patch MPEHX24A/B replaces the Operating System SOM (OS SOM) in
NL.PUB.SYS. This process has the effect of removing all previously
installed MPE/iX patches from the OS SOM. You can obtain all prior
General Release patches by ordering the current MPE/iX PowerPatch tape
(B.40.09) for Release 4.0 or the current MPE/iX PowerPatch tape
(X.50.24) for the Limited Release of 5.0. If you have an HP System
Support contract, call your local Hewlett-Packard support contact.
Otherwise, call your local HP Sales representative and order Product
Number 50757A -- PowerPatch Tape. Be sure to indicate which version
of the PowerPatch tape you require and the correct media type.
PowerPatch tapes are available free of charge to customers who have an
HP System Support contract and at a nominal charge to customers who
do not.
D. Impact of the patch and workaround
Application of the patch will eliminate the vulnerability. See the
NOTE above for the patch impact.
E. Obtaining General Security Information
To subscribe to automatically receive future NEW HP Security
Bulletins from the HP SupportLine mail service via electronic
mail, send an email message to:
[log in to unmask] (no Subject is required)
Multiple instructions are allowed in the TEXT PORTION OF THE
MESSAGE, here are some basic instructions you may want to use:
To add your name to the subscription list for new Security
Bulletins, send the following in the TEXT PORTION OF THE MESSAGE:
subscribe security_info
To retrieve the index of all HP Security Bulletins issued to date,
send the following in the TEXT PORTION OF THE MESSAGE:
send security_info_list
World Wide Web service for browsing of bulletins is available via
the HPSL URL:
http://support.mayfield.hp.com
Choose "Support news", then under Support news,
choose "Security Bulletins"
F. To report new security vulnerabilities, send email to
[log in to unmask]
_______________________________________________________________________
United States Canada
Tel: 800-386-1117 Tel: 800-387-3154
Fax: 800-386-1118
Austria Netherlands
Tel: 43 222/250 00-200 Tel: 31 20-5476040
Fax: 43 222/250 00-311 Fax: 31 20-5477778
Belgium Norway
Tel: 32 2/778.33.99 Tel: 47 2 273 5767
Fax: 32 2/778.33.88 Fax: 47 2 273 5620
Czech Republic Poland
Tel: 42/2/4717230 Tel: 48/22/375085
Fax: 42/2/4717611 Fax: 48/22/374783
Denmark Portugal
Tel: 45 45 99 11 45 Tel: 351(1)301 7343
Fax: 45 45 82 11 46 Fax: 351(1)301 7568
Finland Russia
Tel: 358 0-8872 2000 Tel: 7095-923-5001
Fax: 358 0-8872 2002 Fax: 7095-230-2611
France Slovenia
Tel: 33(1)60 77 30 04 Tel: 386(61)159-3322
Fax: 33(1)69 91 86 79 Fax: 386(61)558-597
Germany Slovak Republic
Tel: 49 70 31/14-55 40 Tel: 42/7/765896
Fax: 49 70 31/14-10 80 Fax: 42/7/763408
Greece Spain
Tel: 30/1/6896411 Tel: 34(1)631 11 11
Fax: 30/1/6896512 Fax: 34(1)631 11 22
Hungary Sweden
Tel: 36/1/1420986 Tel: 46 8-750 22 10
Fax: 36/1/1223692 Fax: 46 8-793 90 50
Iceland Switzerland (French)
Tel: 354/1/671000 Tel: 41(22)780 44 65
Fax: 354/1/673031 Fax: 41(22)780 42 20
Ireland Switzerland (German)
Tel: 353/1/2844633 Tel: 41 1/735 72 70
Fax: 353/1/2844622 Fax: 41 1/735 77 11
Italy Turkey
Tel: Tel: 90-1-224 59 25
Fax: 39 2/75.30.645 Fax: 90-1-224 59 39
Mexico UK
Tel: (+52 5) 326-4684 Tel: 44-344-369231
Fax: 44 344-361014
European Headquarters & Middle East and
Multicountry Sales Region Afrika Operation
Tel: 41/22/780/8111 Tel: 41/22/780/4111
Fax: 41/22/780/8609 Fax: 41/22/780/4770
Australia Korea
Tel: (61-2)950-7491 Tel: (822)769-0612
Fax: (61-2)878-5596 Fax: (822)769-0523
Asia Pacific Headquarters Malaysia
Tel: (65) 290-6217 Tel: (60-3)295-2315
Fax: (65) 291-9697 Fax: (60-3)291-5495
Hong Kong Singapore
Tel: (852)599-7571 Tel: (65) 290-6005
Fax: (852)506-9261 Fax: (65) 296-9023
Japan Taiwan
Tel: (81-423)30-7888 Tel: (886-2)717-9620
Fax: (81-426)45-4312 Fax: (886-2)714-8793
Other Countries
Call your local HP Country Sales office or distributor
-----------------------------------------------------------------------------
|