Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!cnd.hp.com!jmc From: jmc@cnd.hp.com (Jerry McCollom) Newsgroups: comp.sys.hp Subject: Re: Security hole in HP-UX Message-ID: Date: 26 Feb 91 16:38:04 GMT References: <1581@gufalet.let.rug.nl> <1991Feb25.132419.1@dev8n.mdcbbs.com> Sender: news@sdd.hp.com (Usenet News) Organization: Colorado Networks Division, Hewlett-Packard Co. Lines: 73 In-Reply-To: campbell@dev8n.mdcbbs.com's message of 25 Feb 91 13:24:19 GMT Nntp-Posting-Host: hpcndnm.cnd.hp.com In article <1991Feb25.132419.1@dev8n.mdcbbs.com> campbell@dev8n.mdcbbs.com (Tim Campbell) writes: > > holes on the system that he was aware of. About a month later an > > update tape arrived from HP. The date on the covering letter was well > > BEFORE the visit of the security person. The update letter explained > > that this was to fix some security holes in sendmail - no surprises > > there - and some other networking utilities. It didn't say what the > > holes were, so the customer was to blindly do the upgrade without > > knowing what holes were being fixed (or left unfixed). The important > > thing here is that HP knew there was a problem but wouldn't tell the > > customer - instead they implied there wasn't a problem. In fact, they > > misled us by telling us something that the company knew was untrue. Of > > course, we're not gullible enough to believe that computer support > > people tell customers the truth, the whole truth and nothing but the > > truth. However this shows what can happen when a company policy of > > silence is followed. The whole escapade has irreversibly damaged the > > image and reputation of HP for me. > > This really sounds like they gave you the security fix for the famous > internet worm. When they checked out your system - all the files were > correct. You *DID* in fact have the standard sendmail program shipped > with the system and nobody tampered with anything. Unfortunately, that > sendmail daemon wasn't really very secure. The problem addressed by this patch was found around the same time that the worm did its thing, but was honestly unrelated. The worm depended on a problem in sendmail's debug code, which HP excluded from the that release of sendmail. Instead, the defect addressed by this sendmail patch was a little known (or, at least, not widely publicized) 4.2BSD sendmail security hole, not exploitable through the deamon, that was discovered and reported internally (and the graphic details were posted to an internal news group as I remember!!). I suspect the other "networking utilities" was the patch to ftpd for a security hole that was described in detail on NPR (National Public Radio). There were no security holes "left unfixed" that we knew of at the time of these patches. That doesn't mean there weren't (aren't) any yet-to-be-found security holes, but it does mean that we would never (and I personally would never) intentionally leave a known security hole in your software even if, as far as we knew, no customer knew about it. I think the sendmail patch was an example of this stance. It is certainly unfortunate if support people weren't up front about there being security problems requiring the patches. I know it was our (lab) policy to be up front about informing customers and support folks about the problems and that they should be patched A.S.A.P. I'm not aware of that there was any company-wide, "official", stated security patch policy at the time of this patch. I do know that our rational behind not revealing intimate details of such security holes was to protect customers who had yet to receive and install the patches (though we did try to ensure that they were distributed as quickly as possible, especially given the broadcast details of the ftp hole). It seemed to make sense to me at the time. Then again, I was privy to the details so I didn't have that pressing desire to know what the security holes were. I'm not involved in any work on HP-UX or networking anymore, but I do like to learn from the past. In this particular case (the sendmail/ftpd patches -- I don't know the details of your current problem) what sort of approach would you rather have seen us take? Regards, Jerry McCollom jmc@cnd.hp.com ----------------------------------------------------------------------- This response does not represent the official position of, or statement by, the Hewlett-Packard Company. This response is provided for informational purposes only. It is supplied without warranty of any kind. ----------------------------------------------------------------------- Brought to you by Super Global Mega Corp .com