COMMAND

    VirtualVault (TGAD)

SYSTEMS AFFECTED

    HP9000 Series 700/800 running:
           HP-UX 10.24 (VVOS) with VirtualVault A.02.00
           HP-UX 10.24 (VVOS) with VirtualVault A.03.00
           HP-UX 10.24 (VVOS) with VirtualVault A.03.01
           HP-UX 10.24 (VVOS) with VirtualVault A.03.50

PROBLEM

    John Daniele found following.   The VirtualVault operating  system
    is HP's solution to secure electronic commerce.  It is a B1 and B2
    DoD compliant  system that  is becoming  increasingly popular with
    big business, banks,  etc.  The  main security mechanism  in which
    VVOS is based upon  is data partitioning.   Data on the system  is
    classified  into  one  of  four  security  classes, or 'vaults' --
    INSIDE, OUTSIDE, SYSTEM and SYSTEM HIGH.  The INSIDE vault  houses
    the  server's  backend  applications  and  databases.  The OUTSIDE
    vault generally contains the internet front end and any  necessary
    CGI binaries,  etc.   SYSTEM and  SYSTEM HIGH  are responsible for
    maintaining  the  external  webpages  and audit logs respectively.
    These  vaults  are  totally  segregated  from  each other and work
    essentially as separate  machines.  If  a program requires  access
    to either of the vaults  it must be authenticated by  HP's Trusted
    Gateway Proxy daemon.   The TGP daemon  filters all requests  from
    the internet and forwards them to middleware server packages  that
    safely reside behind the INSIDE vault.

    While the TGP daemon does a good job of ensuring the integrity  of
    the  request  prior  to  forwarding  data  to its destination, the
    trusted  gateway  agent  that  is  responsible  for  wrapping  CGI
    requests does not check the length of the request prior to sending
    it to  TGP.   This poses  a problem  since TGA  does not correctly
    handle request messages  that are more  than 512 bytes  in length.
    The result is a trivial DoS  attack on TGA and all services  being
    wrapped by TGA.  The bug was discovered during a penetration  test
    on a client  system running VVOS  3.01. A post  was made to  a CGI
    application  residing  on  the  system  with  a  large  string  of
    characters.   This was  then sent  to the  trusted gateway  agent,
    causing  the  daemon  to  crash,  leaving  the Netscape Enterprise
    Server unable to service further HTTP/SSL requests.  The NES  logs
    show the following:

        [07/May/1999:16:16:22] security: for host xxx.xxx.xxx.xxx trying to
        GET /cgi-bin/somecgi.cgi?AAAAAAAAAAAAAAA..., vvtga_log reports:  ERROR:
        setup_connection():
        Failed to transfer execution message to TGA daemon

    And when NES is started back up:

        [07/May/1999:16:28:18] info:  successful server startup
        [07/May/1999:16:28:18] info: Netscape-Enterprise/3.5.1G B98.169.2301
        [07/May/1999:16:33:18] failure: Error accepting connection -5993 (Resource
        temporarily unavailable)

SOLUTION

    Chris Hudel of  HP was notified  of this bug.   He stated that  HP
    was aware  of the  problem and  addressed it  in patch PHSS 10747.
    NOTE: this bug was not tested against PHSS 10747.  After some time
    new  HP  advisory  appeared,  so  apply the appropriate patches to
    correct the problem:

        HP-UX 10.24 with VirtualVault A.02.00 US/Canada
        HP-UX 10.24 with VirtualVault A.02.00 International:
                PHCO_18615 libsecalarm cumulative patch
                PHSS_19389 VirtualVault:2.00:NES:NSAPI

        HP-UX 10.24 with VirtualVault A.03.00 US/Canada
        HP-UX 10.24 with VirtualVault A.03.00 International:
                PHCO_18615 libsecalarm cumulative patch
                PHSS_19388 VirtualVault:3.00:NES:NSAPI

        HP-UX 10.24 with VirtualVault A.03.01 US/Canada
        HP-UX 10.24 with VirtualVault A.03.01 International:
                PHCO_18615 libsecalarm cumulative patch
                PHSS_19387 VirtualVault:3.01:NES:NSAPI

        HP-UX 10.24 with VirtualVault A.03.50 US/Canada
        HP-UX 10.24 with VirtualVault A.03.50 International:
                PHCO_18615 libsecalarm cumulative patch
                PHSS_19376 VirtualVault:3.50:NES:NSAPI