COMMAND
VirtualVault (TGAD)
SYSTEMS AFFECTED
HP9000 Series 700/800 running:
HP-UX 10.24 (VVOS) with VirtualVault A.02.00
HP-UX 10.24 (VVOS) with VirtualVault A.03.00
HP-UX 10.24 (VVOS) with VirtualVault A.03.01
HP-UX 10.24 (VVOS) with VirtualVault A.03.50
PROBLEM
John Daniele found following. The VirtualVault operating system
is HP's solution to secure electronic commerce. It is a B1 and B2
DoD compliant system that is becoming increasingly popular with
big business, banks, etc. The main security mechanism in which
VVOS is based upon is data partitioning. Data on the system is
classified into one of four security classes, or 'vaults' --
INSIDE, OUTSIDE, SYSTEM and SYSTEM HIGH. The INSIDE vault houses
the server's backend applications and databases. The OUTSIDE
vault generally contains the internet front end and any necessary
CGI binaries, etc. SYSTEM and SYSTEM HIGH are responsible for
maintaining the external webpages and audit logs respectively.
These vaults are totally segregated from each other and work
essentially as separate machines. If a program requires access
to either of the vaults it must be authenticated by HP's Trusted
Gateway Proxy daemon. The TGP daemon filters all requests from
the internet and forwards them to middleware server packages that
safely reside behind the INSIDE vault.
While the TGP daemon does a good job of ensuring the integrity of
the request prior to forwarding data to its destination, the
trusted gateway agent that is responsible for wrapping CGI
requests does not check the length of the request prior to sending
it to TGP. This poses a problem since TGA does not correctly
handle request messages that are more than 512 bytes in length.
The result is a trivial DoS attack on TGA and all services being
wrapped by TGA. The bug was discovered during a penetration test
on a client system running VVOS 3.01. A post was made to a CGI
application residing on the system with a large string of
characters. This was then sent to the trusted gateway agent,
causing the daemon to crash, leaving the Netscape Enterprise
Server unable to service further HTTP/SSL requests. The NES logs
show the following:
[07/May/1999:16:16:22] security: for host xxx.xxx.xxx.xxx trying to
GET /cgi-bin/somecgi.cgi?AAAAAAAAAAAAAAA..., vvtga_log reports: ERROR:
setup_connection():
Failed to transfer execution message to TGA daemon
And when NES is started back up:
[07/May/1999:16:28:18] info: successful server startup
[07/May/1999:16:28:18] info: Netscape-Enterprise/3.5.1G B98.169.2301
[07/May/1999:16:33:18] failure: Error accepting connection -5993 (Resource
temporarily unavailable)
SOLUTION
Chris Hudel of HP was notified of this bug. He stated that HP
was aware of the problem and addressed it in patch PHSS 10747.
NOTE: this bug was not tested against PHSS 10747. After some time
new HP advisory appeared, so apply the appropriate patches to
correct the problem:
HP-UX 10.24 with VirtualVault A.02.00 US/Canada
HP-UX 10.24 with VirtualVault A.02.00 International:
PHCO_18615 libsecalarm cumulative patch
PHSS_19389 VirtualVault:2.00:NES:NSAPI
HP-UX 10.24 with VirtualVault A.03.00 US/Canada
HP-UX 10.24 with VirtualVault A.03.00 International:
PHCO_18615 libsecalarm cumulative patch
PHSS_19388 VirtualVault:3.00:NES:NSAPI
HP-UX 10.24 with VirtualVault A.03.01 US/Canada
HP-UX 10.24 with VirtualVault A.03.01 International:
PHCO_18615 libsecalarm cumulative patch
PHSS_19387 VirtualVault:3.01:NES:NSAPI
HP-UX 10.24 with VirtualVault A.03.50 US/Canada
HP-UX 10.24 with VirtualVault A.03.50 International:
PHCO_18615 libsecalarm cumulative patch
PHSS_19376 VirtualVault:3.50:NES:NSAPI