search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Multiple IPsec implementations do not adequately validate authentication data

Vulnerability Note VU#459371

Original Release Date: 2002-10-17 | Last Revised: 2003-01-06

Overview

IPsec implementations from multiple vendors do not adequately validate the authentication data in IPsec packets, exposing vulnerable systems to a denial of service.

Description

For background:

    • RFC 2401 Security Architecture for the Internet Protocol
    • RFC 2402 IP Authentication Header
    • RFC 2406 IP Encapsulating Security Payload
IPsec supports integrity and authentication for IP traffic by including a cryptographic checksum in each IPsec datagram. This authentication data is compared to the Integrity Check Value (ICV) that is calculated by the recipient. If the values match, the datagram is considered valid.

BindView RAZOR has reported a vulnerability that exists in KAME (FreeBSD, NetBSD), FreeS/WAN (Linux), and possibly other IPsec implementations. While processing an IPsec datagram, vulnerable implementations do not properly calculate the length of the authentication data field for very small datagrams, resulting in an unsigned integer overflow. The ICV is then calculated for an overly large range of memory, which could cause a kernel panic on vulnerable systems.

KAME, FreeBSD, and NetBSD are vulnerable due to the way they handle Encapsulating Security Payload (ESP) datagrams.

Impact

A remote attacker could crash a vulnerable system with a specially crafted IPsec packet. The attacker would need to supply the source and destination IP addresses, the Security Parameters Index (SPI), and a suitably large sequence number. All of this information is transmitted in plain text.

Solution


Upgrade or Apply a Patch

Upgrade or apply a patch as specified by your vendor(s).


Restrict Access

When possible, restrict access to IPsec hosts and gateways. Note that this will not prevent attacks, it will only limit the number of potential sources.

Vendor Information

459371
 
Affected   Unknown   Unaffected

Apple Computer Inc.

Notified:  August 20, 2002 Updated:  October 15, 2002

Status

  Vulnerable

Vendor Statement

Vulnerable systems:


    Mac OS X 10.2
    Mac OS X Server 10.2

Fixed in:
    Mac OS X 10.2.1
    Mac OS X Server 10.2.1

Software updates are available from the "Software Update" pane in System Preferences or from the Apple Software Downloads site:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  August 20, 2002 Updated:  December 11, 2002

Status

  Vulnerable

Vendor Statement

Please see Debian Security Advisory DSA-201.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Notified:  August 21, 2002 Updated:  October 15, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This vulnerability has been addressed in FreeBSD 4.7-RELEASE:

FreeS/WAN

Notified:  August 20, 2002 Updated:  December 02, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

FreeS/WAN 1.99 appears to address this issue:

[http://www.freeswan.org/freeswan_trees/freeswan-1.99/CHANGES]

"ESP (and AH, IPCOMP) potential DOS fix."

[/klips/net/ipsec/ipsec_rcv.c]

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Global Technology Associates

Updated:  October 17, 2002

Status

  Vulnerable

Vendor Statement

After analyzing the IPSec issue described in VU#459371 Global Technology Associates, Inc. has determined that GTA firewall products running GNAT Box system software version prior to version 3.3.1 are vulnerable to this attack. GTA has released system software updates to correct this vulnerability.

For users with systems running GNAT Box system software version 3.3.0 a system software update version 3.3.1 is available from GTA's Online Support Center.
For users with systems running GNAT Box system software version 3.2.x a system software update version 3.2.6 is available from GTA's Online Support Center.
For users with systems running GNAT Box system software version 3.1.x or earlier no software update is available. Users should either upgrade to version 3.3.1 or add Remote Access filters to restrict access to designated remote VPN gateways.

To report potential security vulnerabilities in GTA products, send an E-mail message to: security-alert@gta.com.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  August 21, 2002 Updated:  December 11, 2002

Status

  Vulnerable

Vendor Statement

The AIX operating system is vulnerable to the IPSec issues in releases 4.3.3, 5.1.0 and 5.2.0. Temporary patches are available through an efix package. The efix is available at the following URL:

ftp://ftp.software.ibm.com/aix/efixes/security/ipsec_efix.tar.Z

The following APARs will be available in the near future:
AIX 4.3.3 APAR IY37800 (available approx 1/29/03)
AIX 5.1.0 APAR IY37069 (available approx 12/18/02)
AIX 5.2.0 APAR IY37182 (available approx 4/28/03)

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Internet Initiative Japan (IIJ)

Notified:  October 15, 2002 Updated:  December 11, 2002

Status

  Vulnerable

Vendor Statement

IIJ SEIL/neu routers

Firmware prior to 1.63 are vulnerable to this problem. Upgrade to firmware 1.63 or later (available at http://www.seil-neu.com/). If you do are not using IPsec, you are not affected, however, we suggest you to upgrade the firmware in any case.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

KAME Project

Notified:  August 21, 2002 Updated:  October 15, 2002

Status

  Vulnerable

Vendor Statement

all past KAME-based implementations are vulnerable. which includes:


    MacOS 10.2
    BSDi/WindRiver BSD/OS 4.2 and beyond
    NetBSD 1.5 and beyond
    FreeBSD 4.0 and beyond

and probably (if they enable IPsec)
    Juniper JunOS
    Extreme Networks ExtremeWare
    WindRiver VxWorks
    Hitachi GR2000 router [CommWorks Total Control 100]
    Fujitsu GeoStream 920/940 router
    NEC IX5000
    IIJ SEIL

the problem has corrected on kame tree on 2002/08/21.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

For authoritative statements, please reference specific vendor records.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Notified:  August 21, 2002 Updated:  December 11, 2002

Status

  Vulnerable

Vendor Statement

sent on December 4, 2002

[Router Products]

    • IX 5000 Series
- is NOT vulnerable.
    • IX 1000 / 2000 Series (IX1010, IX1011, IX1020, IX1050, Bluefire IX1035 and IX2010)
- is vulnerable in the case of Version 4.1 or prior. The exploitation is possible only when IPsec is enabled.
- Fixed verion is 4.2.13 or greater.
- To get fixed software, please contact to: <>
- More information (in Japanese): <>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  August 21, 2002 Updated:  October 22, 2002

Status

  Vulnerable

Vendor Statement

See NetBSD security advisory SA2002-016.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

eSoft

Notified:  October 11, 2002 Updated:  October 15, 2002

Status

  Vulnerable

Vendor Statement

eSoft InstaGate is only vulnerable to this denial of service attack if the attacker knows both the IP address of a tunnel endpoint and the SPI value for that tunnel. A patch is available through eSoft's SoftPak Director.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Alcatel

Notified:  August 21, 2002 Updated:  October 15, 2002

Status

  Not Vulnerable

Vendor Statement

In relation to this CERT advisory on security vulnerability in IPsec implementations, Alcatel has conducted an immediate assessment to determine any impact this may have on our portfolio. An initial analysis has shown that none of our products is affected when used as delivered to customers. In particular, the OmniAccess 210, 250, 512 and OmniPCX Office are not affected.

Customers may contact their Alcatel support representative for more details. The security of our customers' networks is of highest priority for Alcatel. Therefore we continue to test our product portfolio against potential security vulnerabilities in our products using IPsec technology and will provide updates if necessary.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Avaya

Notified:  August 21, 2002 Updated:  December 11, 2002

Status

  Not Vulnerable

Vendor Statement

Avaya VPN products, including the VPN Service Unit (VSU) Series of VPN Gateways as well as the VPNremote desktop VPN client software, do not exhibit this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Borderware

Notified:  October 10, 2002 Updated:  October 18, 2002

Status

  Not Vulnerable

Vendor Statement

We have determined that no BorderWare products are vulnerable to the attacks described in VU#459371.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems Inc.

Notified:  August 20, 2002 Updated:  October 21, 2002

Status

  Not Vulnerable

Vendor Statement

Cisco products are not vulnerable to this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Clavister

Notified:  August 21, 2002 Updated:  August 22, 2002

Status

  Not Vulnerable

Vendor Statement

Clavister Firewall with VPN module: Not vulnerable.

Clavister VPN Client: Not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc.

Notified:  August 20, 2002 Updated:  October 15, 2002

Status

  Not Vulnerable

Vendor Statement

Cray, Inc. is not vulnerable as we provide no software that performs this type of function.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  August 20, 2002 Updated:  October 15, 2002

Status

  Not Vulnerable

Vendor Statement

SOURCE: Hewlett-Packard Company and Compaq Computer Corporation, a wholly-owned subsidiary of Hewlett-Packard Company

RE: x-reference SSRT2326 IPSEC

Not Vulnerable:

    HP-UX
    HP-MPE/ix
    HP Tru64 UNIX
    HP NonStop Servers
    HP OpenVMS

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hitachi

Notified:  August 27, 2002 Updated:  October 15, 2002

Status

  Not Vulnerable

Vendor Statement

We've checked up on our router (Hitachi,Ltd. GR2000 series) about VU#459371. Our IPsec implemantation is NOT vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intoto

Notified:  October 11, 2002 Updated:  October 18, 2002

Status

  Not Vulnerable

Vendor Statement

Intoto analyzed iGateway AH and ESP implementation for the DoS threat published in VU#459371, and found that iGateway is not vulnerable to this DoS attack.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lucent

Notified:  September 09, 2002 Updated:  October 15, 2002

Status

  Not Vulnerable

Vendor Statement

The Edge Switching and Routing products (specifically, the B-STDX 9000, CBX500, GX550, PSAX family and Springtide family) are not vulnerable to VU 459371.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  August 21, 2002 Updated:  October 17, 2002

Status

  Not Vulnerable

Vendor Statement

Microsoft has conducted a thorough investigation based on this report. Microsoft products are not affected by this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software

Notified:  August 21, 2002 Updated:  October 21, 2002

Status

  Not Vulnerable

Vendor Statement

MontaVista does not ship any IPSec applications, thus this is not applicable to us. We are not vulnerable to vu459371.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetScreen

Notified:  August 27, 2002 Updated:  August 29, 2002

Status

  Not Vulnerable

Vendor Statement

NetScreen's Global PRO family of network management applications does not use IPSec and is not vulnerable to the issues raised in VU#459371.

NetScreen has determined that ScreenOS, the operating software for NetScreen security devices, is not vulnerable to the issues raised in VU#459371.

The IPSec implementation in the NetScreen Remote family of VPN and security clients has been examined and NetScreen has determined that it is not vulnerable to the issues raised in VU#459371.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Network Appliance

Notified:  October 10, 2002 Updated:  October 15, 2002

Status

  Not Vulnerable

Vendor Statement

NetApp products are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nortel Networks

Notified:  August 21, 2002 Updated:  December 11, 2002

Status

  Not Vulnerable

Vendor Statement

The following Nortel Networks products implement IPsec but are not affected by the vulnerabilities noted in VU#459371:

The Preside Multi-Service Data Manager (MDM) is not affected.

There are no issues with the Contivity Platform, this includes the:

Contivity 600/1500/1600/2000/2500/2600/4500/4600
Contivity 1010/1050/1100
Contivity 1700/2700
Contivity software releases 3.5 and beyond including the Contivity VPN Client
The Shasta 5000 Broadband Services Node is not affected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Notified:  August 21, 2002 Updated:  October 21, 2002

Status

  Not Vulnerable

Vendor Statement

Openwall GNU/*/Linux is not vulnerable. We don't yet support IPsec.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SSH Communications Security

Notified:  August 21, 2002 Updated:  December 11, 2002

Status

  Not Vulnerable

Vendor Statement

1. CERT/CC Vulnerability Note VU#459371

=======================================

Multiple IPSec implementations do not adequately validate
authentication data:

    CERT/CC has announced a new vulnerability on IPSec (see the
    "Vulnerability Note VU#459371" referred). Based on our review, SSH
    IPSEC Express Toolkit 4.x/5.x and SSH QuickSec Toolkit 1.x are not
    vulnerable to the attack described. The sanity check relevant for
    this functionality is located in the transform code of the IPSec
    packet processing.

    More information can be found at:

     http://www.kb.cert.org/vuls/id/459371

    This vulnerability has been assigned CAN-2002-0666 by CVE.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SafeNet

Notified:  August 20, 2002 Updated:  October 15, 2002

Status

  Not Vulnerable

Vendor Statement

SafeNet's VPN clients are not susceptible to this vulerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc.

Notified:  August 21, 2002 Updated:  August 29, 2002

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva

Notified:  August 20, 2002 Updated:  August 29, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General

Notified:  August 20, 2002 Updated:  August 29, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Extreme Networks

Notified:  October 11, 2002 Updated:  October 15, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F-Secure

Notified:  August 21, 2002 Updated:  August 29, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  August 21, 2002 Updated:  August 29, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital Inc.

Notified:  August 21, 2002 Updated:  August 29, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks

Notified:  August 21, 2002 Updated:  August 29, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Notified:  August 21, 2002 Updated:  August 29, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NIST

Notified:  August 21, 2002 Updated:  August 29, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NeXT

Notified:  August 21, 2002 Updated:  August 29, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Network Associates

Notified:  August 20, 2002 Updated:  August 29, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Novell

Notified:  December 11, 2002 Updated:  December 11, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  August 20, 2002 Updated:  August 29, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

PGP

Notified:  August 21, 2002 Updated:  August 29, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc.

Notified:  August 21, 2002 Updated:  August 29, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  August 21, 2002 Updated:  August 29, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent

Notified:  August 21, 2002 Updated:  August 29, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  August 20, 2002 Updated:  August 29, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc.

Notified:  August 20, 2002 Updated:  August 29, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO Linux)

Notified:  August 21, 2002 Updated:  August 29, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  August 21, 2002 Updated:  August 29, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems Inc.

Notified:  August 21, 2002 Updated:  August 29, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 52 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

The CERT/CC thanks Todd Sabin of BindView RAZOR for discovering and reporting this issue.

This document was written by Art Manion.

Other Information

CVE IDs: CVE-2002-0666
Severity Metric: 5.14
Date Public: 2002-10-17
Date First Published: 2002-10-17
Date Last Updated: 2003-01-06 21:56 UTC
Document Revision: 24

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.