- Email: [email protected]
Cisco IOS software vulnerability
Nefwork Security
June 7999
The security patch is also available via anonymous ftp: usffs.external.hp.com, or -ftp/ exportlpatchesjhp-ux_patch_ matrix.
HP-UX sendmail denial of service failures The CIAC Bulletin J-040 reports on an HP-UX security vulnerability in Hewlett-Packard sendmail. Company HP9000 Series 700/800 systems that are running sendmail release 8.8.6 accept connections sub-optimally, which causes denial of service failures. Public domain fixes now in sendmail 8.9.3 have been ported to HP-UX sendmail 8.8.6 release patch. For HP-UX releases prior to 10.20, upgrade from sendmail 5.65 to sendmail release 8.8.6. See www.software.hp.com. For HP-UX release 10.20: PHNE_17135; For HP-UX release 11.OO: PHNE_17190. To subscribe to automatically receive future New HP Security Bulletins or access the HP Electronic Support Center, use your browser to get to the ESC Web page at: http://ussupport.external.hp.com (for non-European locations), or http://europe-support.external. hpcom (for Europe). Once you are in the main menu, to retrieve patches, click on “Individual Patches” and select the appropriate release and locate with the patch identifier (ID). To view the security patch matrix, which categorizes security patches by platform/OS release and by bulletin topic, go to the archive in “Support Information Digests” and follow the links.
2
For further information, contact ClACon:+l 9254228193;fax:+l 423 8002; E-mail: 925 [email protected].
Cisco IOS software vulnerability The CIAC Bulletin J-041 reports on information received from Cisco, concerning a problem whereby certain Cisco IOS software input access list filters may ‘leak’ packets in certain network address translation (NAT) configurations, creating a security exposure. Cisco routers running 12.0-based versions of Cisco IOS software (including 12.0,12.OS and 12.OT,in all versions up to, but not including, 12.0(4), 12.0(4)S and 12.0(4)T as well as other 12.0 releases) are affected. Non-12.0 releases are not affected. The failure does not happen at all times, and is less likely under laboratory conditions than in installed networks. This may cause administrators to believe that filtering is working when it is not. Software fixes are being created for this vulnerability, but are not yet available for all software versions. This notice is being released before fixed software is universally available in order to enable affected Cisco customers to take immediate steps to protect themselves against this vulnerability Both input access lists and NAT must be in use on the same router interface in order for this vulnerability to manifest itself. If your configuration file does not
contain the command ‘IP access-group in” on the same interface with ‘IP nut inside” or ‘IP nat outside”, then you are not affected. The majority of routers are not configured to use NAT, and are therefore not affected. NAT routers are most commonly found at Internet boundaries. If you are unsure whether your device is running classic Cisco IOS software, log into the device and issue the command ‘show version”. Cisco IOS software will identify itself simply as “10s” or “Internetwork Operating System Software”. Other Cisco devices either will not have the ‘show version” command, or will give different output. The severity of the impact may vary, depending on the device configuration and type, environment, from sporadic leakage of occasional packets to consistent leakage of significant classes of packets. The environment dependencies are extremely complex and difficult to characterize, but essentially all vulnerable configurations are affected to some degree. Customers with affected devices are advised to assume that the vulnerability affects their networks whenever input access lists are used together with NAT in 12.0based software. This vulnerability may allow users to circumvent network security filters, and therefore security policies. This may happen with no special effort on the part of the user, and indeed without the user being aware that a filter exists at all. No particular tools, skills or knowledge are needed for such opportunistic attacks. In some configuration, it may also be possible for an attacker to deliberately create the
0 1999 Elsevier Science Ltd
Network Security
June 7999
conditions for this failure; doing so would require detailed knowledge and a degree of sophistication. The conditions that trigger this vulnerability may be frequent and long lasting in some production configurations. Cisco is offering free software upgrades to remedy this vulnerability for all affected customers. Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained via the Software Center on Cisco’s Web site at http://www. ciscocom. Customers without contracts should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows: +l 800 553 2447 (toll-free from within North America); +l 408 526 7209 (toll call from anywhere in the world); E-mail: [email protected]. For further information, contact ClACon: +I 9254228193; fax: +I E-mail: 925 423 8002; ciac@llnl. gov.
MARKET NEWS Telecommunications infrastructure to expand in Latin America Developing countries are seeking to upgrade and expand their telecommunications infrastructure in order to provide a base for bringing in the manufacturing industry. According to a study by Business Communications Co., the global market for telecommunications
0 1999 Elsevier Science
Ltd
equipment totalled $279.7 billion in 1998. Latin America (which accounts for 8.5% of the world’s population) accounted for $22.08 billion (7.9%) of this global market. This market is expected to grow at an average annual growth rate of 8.7% from 1998 to 2002 to reach $30.79 billion in 2002. Brazil accounted for nearly 33% of the Latin American market in 1998 and is expected to maintain that share as it reaches $10.22 billion in 2002. Mexico, which is the second largest market, will experience the fastest annual growth of 10% from 1998 to 2002. Other nations of Southern South America are expected to grow to $4.83 billion by 2002, averaging an annual growth rate of 9.7% from 1998-2003. The principal operators in most of the countries profiled in the study - notably, Brazil, Mexico and Argentina - have largely rebuilt their networks during the 1990s. Some of the factors fuelling the growth include: The principal telecom operator in Brazil,Telebras, was privatized in 1998, which led to substantial investment to upgrade and expand Brazilian networks. An increasing number of competitors will be making increasing investments in equipment between 1998 and 2002 as they build their own facilities, owing to the liberalization of the Latin American telecommunications services markets. Governments of these nations are committed to raising teledensity, which remains low (10 phones per 100 people). despite the modernization of existing networks,
Operators are expanding the capacity of their networks by broadening bandwidth to support multimedia services. The existence of these modernized networks now permits operators to expand the services they offer, and business is investing heavily in equipment in order to take advantage of these new capabilities. Mobile telephony has expanded dramatically in Latin America and continues to do so, resulting in rapid growth in the market for wireless network infrastructure equipment. Furthermore, mobile solutions such as wireless local loop are being used in Latin America, to a far higher degree than is the case in countries with more developed economies, to extend basic telephone service to areas that are not served. For further information, con tat t Business Communications Co. on Tel: + 1 203 853 4266; Fax: + 1 203 853 0348.
COMPANY NEWS Partnership delivers server-based anti-virus solution Trend Micro has announced an alliance with Compaq Computer Corporation (NYSE:CPQ) under which Trend Micro’s anti-virus products will be included in Compaq ActiveAnswers. an online resource for marketing, buying and deploying business and enterprise solutions.
3
June 7999
The security patch is also available via anonymous ftp: usffs.external.hp.com, or -ftp/ exportlpatchesjhp-ux_patch_ matrix.
HP-UX sendmail denial of service failures The CIAC Bulletin J-040 reports on an HP-UX security vulnerability in Hewlett-Packard sendmail. Company HP9000 Series 700/800 systems that are running sendmail release 8.8.6 accept connections sub-optimally, which causes denial of service failures. Public domain fixes now in sendmail 8.9.3 have been ported to HP-UX sendmail 8.8.6 release patch. For HP-UX releases prior to 10.20, upgrade from sendmail 5.65 to sendmail release 8.8.6. See www.software.hp.com. For HP-UX release 10.20: PHNE_17135; For HP-UX release 11.OO: PHNE_17190. To subscribe to automatically receive future New HP Security Bulletins or access the HP Electronic Support Center, use your browser to get to the ESC Web page at: http://ussupport.external.hp.com (for non-European locations), or http://europe-support.external. hpcom (for Europe). Once you are in the main menu, to retrieve patches, click on “Individual Patches” and select the appropriate release and locate with the patch identifier (ID). To view the security patch matrix, which categorizes security patches by platform/OS release and by bulletin topic, go to the archive in “Support Information Digests” and follow the links.
2
For further information, contact ClACon:+l 9254228193;fax:+l 423 8002; E-mail: 925 [email protected].
Cisco IOS software vulnerability The CIAC Bulletin J-041 reports on information received from Cisco, concerning a problem whereby certain Cisco IOS software input access list filters may ‘leak’ packets in certain network address translation (NAT) configurations, creating a security exposure. Cisco routers running 12.0-based versions of Cisco IOS software (including 12.0,12.OS and 12.OT,in all versions up to, but not including, 12.0(4), 12.0(4)S and 12.0(4)T as well as other 12.0 releases) are affected. Non-12.0 releases are not affected. The failure does not happen at all times, and is less likely under laboratory conditions than in installed networks. This may cause administrators to believe that filtering is working when it is not. Software fixes are being created for this vulnerability, but are not yet available for all software versions. This notice is being released before fixed software is universally available in order to enable affected Cisco customers to take immediate steps to protect themselves against this vulnerability Both input access lists and NAT must be in use on the same router interface in order for this vulnerability to manifest itself. If your configuration file does not
contain the command ‘IP access-group
0 1999 Elsevier Science Ltd
Network Security
June 7999
conditions for this failure; doing so would require detailed knowledge and a degree of sophistication. The conditions that trigger this vulnerability may be frequent and long lasting in some production configurations. Cisco is offering free software upgrades to remedy this vulnerability for all affected customers. Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained via the Software Center on Cisco’s Web site at http://www. ciscocom. Customers without contracts should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows: +l 800 553 2447 (toll-free from within North America); +l 408 526 7209 (toll call from anywhere in the world); E-mail: [email protected]. For further information, contact ClACon: +I 9254228193; fax: +I E-mail: 925 423 8002; ciac@llnl. gov.
MARKET NEWS Telecommunications infrastructure to expand in Latin America Developing countries are seeking to upgrade and expand their telecommunications infrastructure in order to provide a base for bringing in the manufacturing industry. According to a study by Business Communications Co., the global market for telecommunications
0 1999 Elsevier Science
Ltd
equipment totalled $279.7 billion in 1998. Latin America (which accounts for 8.5% of the world’s population) accounted for $22.08 billion (7.9%) of this global market. This market is expected to grow at an average annual growth rate of 8.7% from 1998 to 2002 to reach $30.79 billion in 2002. Brazil accounted for nearly 33% of the Latin American market in 1998 and is expected to maintain that share as it reaches $10.22 billion in 2002. Mexico, which is the second largest market, will experience the fastest annual growth of 10% from 1998 to 2002. Other nations of Southern South America are expected to grow to $4.83 billion by 2002, averaging an annual growth rate of 9.7% from 1998-2003. The principal operators in most of the countries profiled in the study - notably, Brazil, Mexico and Argentina - have largely rebuilt their networks during the 1990s. Some of the factors fuelling the growth include: The principal telecom operator in Brazil,Telebras, was privatized in 1998, which led to substantial investment to upgrade and expand Brazilian networks. An increasing number of competitors will be making increasing investments in equipment between 1998 and 2002 as they build their own facilities, owing to the liberalization of the Latin American telecommunications services markets. Governments of these nations are committed to raising teledensity, which remains low (10 phones per 100 people). despite the modernization of existing networks,
Operators are expanding the capacity of their networks by broadening bandwidth to support multimedia services. The existence of these modernized networks now permits operators to expand the services they offer, and business is investing heavily in equipment in order to take advantage of these new capabilities. Mobile telephony has expanded dramatically in Latin America and continues to do so, resulting in rapid growth in the market for wireless network infrastructure equipment. Furthermore, mobile solutions such as wireless local loop are being used in Latin America, to a far higher degree than is the case in countries with more developed economies, to extend basic telephone service to areas that are not served. For further information, con tat t Business Communications Co. on Tel: + 1 203 853 4266; Fax: + 1 203 853 0348.
COMPANY NEWS Partnership delivers server-based anti-virus solution Trend Micro has announced an alliance with Compaq Computer Corporation (NYSE:CPQ) under which Trend Micro’s anti-virus products will be included in Compaq ActiveAnswers. an online resource for marketing, buying and deploying business and enterprise solutions.
3