• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: HP-UX ASecure Denial of Service Vulnerability

Severity: MODERATE

Description:

HP9000 Series 700 and 800 workstations are secured so that only designated users can use audio. The asecure program allows the local superuser to modify audio security properties, dictating which users and hosts can access audio. Improper permissions on some of the files used by asecure could allow inappropriate modification or deletion of these files by unprivileged users.

Asecure uses an "Audio Security File" (ASF) /etc/opt/audio/audio.sec to set the local audio security policy. This policy includes which users and hosts can access the Aserver (i.e., local audio playback, editing, etc.), whether or not access control on local audio is implemented, and which users besides the superuser are allowed to modify the ASF. Unfortunately, this file is installed world writable (mode 666), so direct modification of this file can circumvent the controls imposed by the asecure binary (used to manage it normally). Modification of this file could result in increased privileges, eg., access to local audio functions contrary to the security policy or the ability to deny service to authorized users.

According to HP security bulletin HPSBUX0103-145 there may be other insecure files related to audio security and the asecure program, but HP has not disclosed their location or function. Modification of these files may result in a denial of service.

This problem has additionally been determined to exist in /var/opt/audio/asecure_log and /var/opt/audio/audio_error_log.

Affected Products:

• HP HP-UX 10.0.01
• HP HP-UX 10.10.0
• HP HP-UX 10.20.0
• HP HP-UX 11.0.0

References:

• HP IT Resource Center: HP IT Resource Center (for US, Canada, Asia-Pacific, & Latin-America)

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.