|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
Hewlett-Packard Company Information for VU#970472
| Date Notified: | |
| Date Updated: | |
| Statement Date: | |
| Status Summary: | Vulnerable |
Vendor StatementHP is vulnerable.Vendor InformationThe vendor has not provided us with any further information regarding this vulnerability.
AddendumHP has published HPSBUX0104-148 Sec. Vulnerability in xntpd(1M) which includes workarounds to protect users of HP systems running xntpd.
An except from HPSBUX0104-148 is included here:
A. Background
A buffer overflow has been discovered on various Unix-derived
operating systems in its NTP daemon. Hewlett-Packard Company
ships xntpd on HP-UX releases and has determined that it too,
is vulnerable.
B. Recommended solution
Hewlett-Packard Company recommends that xntpd be shut down
on all systems not absolutely needing time-of-day synchronization
with Internet standard time servers.
On those remaining time-sensitive systems modify the default
configuration file (/etc/ntp.conf) to use the "restrict" clause,
to restrict all but allow some.
We provide an example of a simple configuration. Please refer
to the man (1M) xntpd for further configuration details.
# This server syncs from server 192.255.2.3 and provides
# time services to client 192.27.16.30, yet
# blocks all others.
server 192.255.2.3 prefer
server 127.127.1.1
# allow this client full access
restrict 192.27.16.30
# allow this server full access
restrict 192.255.2.3
# you need both of the following for the localhost
restrict 127.0.0.1
restrict 127.127.1.1
# block everything else
restrict default ignore
NOTE: Patches are currently in development.
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
 |
