Contact: John Weathersby, Open Source Software Institute jmw@oss-institute.org OpenSSL Secures New FIPS 140-2 Validation Open Source Cryptographic Module Once Again Available for Government Adoption and Usage Hattiesburg, MS Wednesday, February 7, 2007 The Open Source Software Institute (OSSI) announced today the FIPS 140-2 validation of the OpenSSL FIPS Object Module, a cryptographic library based on the widely used OpenSSL product. The official validation certificate (#733) is now posted at the NIST FIPS 140-1 and 140-2 Cryptographic Modules Validation List (http://csrc.nist.gov/cryptval/140-1/1401val2007.htm). The OpenSSL FIPS Object Module is freely available and can be downloaded immediately athttp://www.openssl.org/source/openssl-fips-1.1.1.tar.gz. The OpenSSL FIPS Object Module Security Policy and User Guide are also available for download through the OSSI website (www.oss-institute.org) and may be used and reproduced without restriction. -------------------------- Why this is important to government, IT and open source readers: 1) Information Assurance (IA) programs/modules, such as OpenSSL, must achieve government validation (FIPS & Common Criteria) before they can be acquired or used within Dept of Defense systems. (govt policy which regulates this is the National Security Telecommunications and Information Systems Security Policy (NSTISSP) Number 11) 2) FIPS validation demonstrates validity, durability and security of the open source OpenSSL crypto module...as secure as any comparable "commercial version" validated module. Strict scrutiny of the transparent, open source code caused some delays, but outcome resulted in the most thoroughly viewed and tested module available. 3) Validation demonstrated the efficient nature of the open source development model. Updates and modification were made in hours, not days or months. 4) Cost benefit to all government, industry and private developers and im
Title: Hewlett-Packard Network Node Manager 7.50 Remote Console weak files permissions Application: Hewlett-Packard Network Node Manager 7.50 Remote Console under Microsoft Windows XP SP2. Vulnerability: Local Vulnerability Level: High Impact: privilege escalation of any unprivileged user to Local System or another user's account. Author: 3APA3A <3APA3A at security.nnov.ru>, http://SecurityVulns.com Advisory URL: http://securityvulns.com/advisories/nnmrc.asp SecurityVulns news URL: http://securityvulns.com/news/HP/NNM/RC/WP.html CVE: CVE-2007-0819 Intro: NNM Remote Console is remote administration tool for HP Network Node Manager (NNM). Unlike the rest of NNM, it's installed on administrator's workstation. 7.50 is the latest version of NNM Remote Console, because console installation can not be upgraded to 7.51. Vulnerability Description: The bug is very simple: insecure installation folder permissions. During installation of HP Open View Network Node Manager Console this commands is performed: C:\WINDOWS\system32\cmd.exe /C CALL cacls "C:\Program Files\HP OpenView" /T /C /P Everyone:F < "C:\Program Files\HP OpenView\yes.txt" >> "C:\Program Files\HP OpenView\log\setup.log" This command recursively changes access permissions for C:\Program Files\HP OpenView folder to Everyone:Full Control. It makes it possible for any local user to replace any of HP Open View executable files or ActiveX components with trojaned/backdoored ones and gain permissions of user running any of Open View applications (usually network administrator user). And worse: there is service installed into HP Open View folder, namely HP Open View Shared Trace Service with executable C:\Program Files\HP OpenView\bin\ovtrcsvc.exe It's executed with highest possible Local System account. It makes it possible for any local user to overwrite service executable and obtain Local System privileges. Exploit: 1. Rename ovtrcsvc.exe to ovtrcsvc.old 2. Replace ovtrcsvc.exe with any application of
The Firebird team is pleased to announce that v.1.5.4 of Firebird for Windows and Linux is now released and awaiting your pleasure. Kits should be available from many sites today and more over the weekend. A number of additional retrospective fixes have been introduced for bugs that became apparent and were fixed in the Firebird 2 tree during the Firebird 2.0 beta cycle. This is probably the final sub-release of Firebird 1.5.x. It adds no new functionality, although building the software for both Classic and SuperServer for HP-UX11 is now supported. The Firebird Team Download URL: http://www.firebirdsql.org/index.php?op=files&id=engine_154 About Firebird Firebird is a relational database offering many ANSI SQL standard features that runs on Linux, Windows, and a variety of Unix platforms. Firebird offers excellent concurrency, high performance, and powerful language support for stored procedures and triggers. It has been used in production systems, under a variety of names, since 1981. The Firebird Project is a commercially independent project of C and C++ programmers, technical advisors and supporters developing and enhancing a multi-platform relational database management system based on the source code released by Inprise Corp (now known as Borland Software Corp) on 25 July, 2000.
ISVs and Hosters using Windows should be interested in new release from Microsoft: Beta Releases: Windows-based Hosting 4.5 and Windows-based Hosting for Applications 1.5 New in This Release The Microsoft Solution for Windows-based Hosting version 4.5 improves on previous versions of the solution by introducing a number of new features and technologies. Some of the more significant enhancements are: Windows Server 2003 R2 - The infrastructure components of the solution now run on Windows Server 2003 R2, which extends the Windows Server 2003 operating system in important ways. Web platform features include support for .NET framework 2.0 and ASP.NET 2.0 applications as well as 64-bit support for Internet Information Services (IIS) 6.0. In addition, Windows Server 2003 R2 provides: Improved identity and access management. Better control over storage setup and lower management costs due to improved storage management features. Interoperability with UNIX-based systems, including password synchronization. A new licensing model that allows customers to get more value out of server virtualization. SQL Server 2005 -The solution incorporates fundamental advancements in database technology and security with SQL Server 2005. When compared with SQL Server 2000, the latest version of the comprehensive database platform of the solution provides: Up to 35 percent faster transaction processing, including improved response times on queries. Higher availability for mission critical applications and five times faster failover. Up to 40 percent faster development environment through Visual Studio and .NET integration. Improved analysis and calculation capabilities that allow developers to provide new services. Improved reporting capabilities as well as the power to create ad hoc reports in multiple formats. New features to easily support service offerings differentiated by additional capabilities rather than just database size and quantity. Support for 64-bit platforms so service p
Solution ID: 1034289A recent system upgrade added a '1' or '2' to old solution IDs. You find these solutions by removing or retaining the extra '1' or '2'. Product: Scan Engine - 8.300, Scan Engine - 8.000 Operating System: N/A Published: 2/6/07 5:18 AM Problem: Trend Micro has become aware of a vulnerability in its Scan Engine, wherein a corrupted UPX file can cause a buffer overflow and lead to either of the following: • Blue screen of death (BSOD) • Execution of arbitrary code that allows an attacker to take control of the system It affects all Trend Micro products and versions using the Scan Engine and Pattern File technology. A complete list of products is found in: • http://www.trendmicro.com/download/engine.asp • http://www.trendmicro.com/download/pattern.asp Solution: To address the vulnerability, update to virus pattern file 4.245.00 or higher. This provides the following fixes: • Update of the UPX Parsing algorithm • Generic detection for malformed UPX files Enhancements will also be applied on the Scan Engine and the fix will be included in the upcoming release of version 8.5. If you encounter issues downloading the pattern file from the ActiveUpdate server, refer to the following manual update solutions: Client / Server / Messaging Security for SMB Manually updating the Pattern File on the Security Server Manually updating the Pattern File on the Client / Server Security Agent Manually updating the Pattern File on the Messaging Security Agent Client / Server Security for SMB Manually updating the Pattern File on the Security Server Manually updating the Pattern File on the Client / Server Security Agent Control Manager InterScan Messaging Security Suite InterScan VirusWall InterScan VirusWall for SMB (version 5.0) InterScan Web Security Suite OfficeScan ScanMail for Lotus Domino ScanMail for Microsoft Exchange ServerProtect for Linux ServerProtect for Microsoft Windows ServerProtect for Novell NetWare