[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Software Update Available for Legacy RapidStream Appliances and W
From: Steve Fallin <Steve.Fallin () watchguard ! com>
Date: 2002-09-27 21:16:16
[Download RAW message or body]
["RSSA.SU.AMAD.txt" (text/plain)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SOFTWARE UPDATE
WATCHGUARD RELEASES SECURITY HOTFIX
FOR VCLASS AND LEGACY RSSA APPLIANCES
PRODUCTS AFFECTED:
* Vclass appliances running the current version of Vclass software
* Legacy RSSA appliances running Vclass software
* Legacy RSSA appliances that have not yet upgraded to Vclass
software
WatchGuard is pleased to announce the immediate availability of the
following hotfixes for its Vclass line of appliances and Legacy RSSA
appliances.
* Vclass 3.2 Hotfix 2, for Vclass and Legacy RSSA appliances running
Vclass software
* RSSA Appliance v. 3.0.2 Hotfix 31, for Legacy RSSA appliances not
yet running Vclass software
These hotfixes include remediation for the following security-
related bugs in the Command Line Interface (CLI):
* A "format strings" type of vulnerability in the password
validation code active during remote user login using SSH. The CLI
program was abnormally terminated when verifying a password having
an invalid format. This has been fixed.
* The SSH connection was not closed when a client logged in with a
–N (do not execute remote command) option. This has been fixed.
These vulnerabilities in how the CLI handles unexpected input could
be exploited to gain root level access to the appliance. WatchGuard
is not aware of any functioning exploit code that will yield root
level control of the appliance although we believe that it is
possible to develop such code. These hotfixes eliminate the
vulnerabilities.
WatchGuard recommends that all affected customers download, test and
install the appropriate version of this hotfix as soon as is
practical. We further recommend, as a matter of good practice, that
you verify that only trusted hosts can connect to the CLI.
WatchGuard thanks and acknowledges Joao Gouveia for his assistance
in isolating these vulnerabilities
HOW TO OBTAIN YOUR HOTFIX
* If you are a Vclass product LiveSecurity Subscriber, obtain this
hotfix by downloading it from our LiveSecurity Web site
<https://www3.watchguard.com/archive/softwarecenter.asp> which
also includes clear installation instructions in the release
notes.
* If you own a legacy RSSA appliance, have already registered your
product's RSSA support contract, and upgraded it to run Vclass
software, please proceed to the Legacy RSSA software download
center <http://watchguard.com/vars/rssa.asp>.
* If you own a legacy RSSA appliance and have not yet upgraded to
Vclass software, you can download a version of the hotfix that is
compatible with your current software and a copy of the release
notes from the Legacy RSSA software download center
<http://watchguard.com/vars/rssa.asp>
* If you own a legacy RSSA appliance and do not have a Standard or
Gold RSSA support contract, please register or purchase your
support contract for your RSSA product by contacting WatchGuard
Support Administration Department at +1.206.521.3575 between the
hours of 6:00 am and 6:00 pm Pacific Time (PST/PDT, GMT -8/-7),
Monday through Friday, or via e-mail at: supportid@watchguard.com
<mailto:supportid@watchguard.com>. Please have the serial number
of your product(s) available when you contact us and identify
yourself as a "RapidStream RSSA customer." We will be happy to
answer any questions about WatchGuard's support programs at that
time.
As always, if you need support, please enter a support incident
online <https://support.watchguard.com/incidents/NewIncident.asp?>
or call our support staff directly:
U.S. Customers: 877.232.3531
International Customers: +1.360.482.1083
WatchGuard Partners: +1.206.521.8375
- - - ------------------------------------------------------
Copyright 2002 WatchGuard Technologies, Incorporated. All
Rights Reserved. WatchGuard, LiveSecurity, Firebox and
ServerLock are registered trademarks or trademarks of
WatchGuard Technologies, Inc. in the United States and/or
other countries. All other trademarks are the property of
their respective owners.
You may not modify, reproduce, republish, post, transmit
or distribute this content except as expressly permitted
in writing by WatchGuard Technologies, Inc.
======================================================
Steve Fallin
Director, Rapid Response Team
mailto:steve.fallin@watchguard.com
Phone +1 206 521 8340
+++++++++++++++++++++++++++++++++
WatchGuard Technologies, Inc
Designing Peace of Mind (tm)
505 Fifth Avenue South, Suite 500
Seattle Wa 98104
http://www.watchguard.com
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPZS8+k3Vi9lbkWzpEQLikQCeKrE3Xy0REXvEpenfUy3M9N+3yYIAmwTP
sZ8Bm5RL380Lev+PYAm38WVc
=qWY9
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic