'Software Update Available for Legacy RapidStream Appliances and W'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Software Update Available for Legacy RapidStream Appliances and W
From:       Steve Fallin <Steve.Fallin () watchguard ! com>
Date:       2002-09-27 21:16:16
[Download RAW message or body]

["RSSA.SU.AMAD.txt" (text/plain)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SOFTWARE UPDATE


WATCHGUARD RELEASES SECURITY HOTFIX
FOR VCLASS AND LEGACY RSSA APPLIANCES

PRODUCTS AFFECTED:

* Vclass appliances running the current version of Vclass software
* Legacy RSSA appliances running Vclass software
* Legacy RSSA appliances that have not yet upgraded to Vclass
  software


WatchGuard is pleased to announce the immediate availability of the
following hotfixes for its Vclass line of appliances and Legacy RSSA
appliances.

* Vclass 3.2 Hotfix 2, for Vclass and Legacy RSSA appliances running
  Vclass software

* RSSA Appliance v. 3.0.2 Hotfix 31, for Legacy RSSA appliances not
  yet running Vclass software

These hotfixes include remediation for the following security-
related bugs in the Command Line Interface (CLI):

* A "format strings"  type of vulnerability in the password
  validation code active during remote user login using SSH. The CLI
  program was abnormally terminated when verifying a password having
  an invalid format. This has been fixed.

* The SSH connection was not closed when a client logged in with a
  –N (do not execute remote command) option. This has been fixed.

These vulnerabilities in how the CLI handles unexpected input could
be exploited to gain root level access to the appliance. WatchGuard
is not aware of any functioning exploit code that will yield root
level control of the appliance although we believe that it is
possible to develop such code. These hotfixes eliminate the
vulnerabilities.

WatchGuard recommends that all affected customers download, test and
install the appropriate version of this hotfix as soon as is
practical. We further recommend, as a matter of good practice, that
you verify that only trusted hosts can connect to the CLI.

WatchGuard thanks and acknowledges Joao Gouveia for his assistance
in isolating these vulnerabilities


HOW TO OBTAIN YOUR HOTFIX

* If you are a Vclass product LiveSecurity Subscriber, obtain this
  hotfix by downloading it from our LiveSecurity Web site
  <https://www3.watchguard.com/archive/softwarecenter.asp>  which
  also includes clear installation instructions in the release
  notes.

* If you own a legacy RSSA appliance, have already registered your
  product's RSSA support contract, and upgraded it to run Vclass
  software, please proceed to the Legacy RSSA software download
  center <http://watchguard.com/vars/rssa.asp>.

* If you own a legacy RSSA appliance and have not yet upgraded to
  Vclass software, you can download a version of the hotfix that is
  compatible with your current software and a copy of the release
  notes from the Legacy RSSA software download center
  <http://watchguard.com/vars/rssa.asp>

* If you own a legacy RSSA appliance and do not have a Standard or
  Gold RSSA support contract, please register or purchase your
  support contract for your RSSA product by contacting WatchGuard
  Support Administration Department at +1.206.521.3575 between the
  hours of 6:00 am and 6:00 pm Pacific Time (PST/PDT, GMT -8/-7),
  Monday through Friday, or via e-mail at: supportid@watchguard.com
  <mailto:supportid@watchguard.com>. Please have the serial number
  of your product(s) available when you contact us and identify
  yourself as a "RapidStream RSSA customer." We will be happy to
  answer any questions about WatchGuard's support programs at that
  time.

As always, if you need support, please enter a support incident
online <https://support.watchguard.com/incidents/NewIncident.asp?>
or call our support staff directly:

U.S. Customers: 877.232.3531
International Customers: +1.360.482.1083
WatchGuard Partners: +1.206.521.8375


- - - ------------------------------------------------------
Copyright 2002 WatchGuard Technologies, Incorporated. All
Rights Reserved. WatchGuard, LiveSecurity, Firebox and
ServerLock are registered trademarks or trademarks of
WatchGuard Technologies, Inc. in the United States and/or
other countries. All other trademarks are the property of
their respective owners.

You may not modify, reproduce, republish, post, transmit
or distribute this content except as expressly permitted
in writing by WatchGuard Technologies, Inc.

======================================================

Steve Fallin                          
Director, Rapid Response Team        
mailto:steve.fallin@watchguard.com
Phone +1 206 521 8340    
+++++++++++++++++++++++++++++++++

WatchGuard Technologies, Inc
Designing Peace of Mind (tm)
505 Fifth Avenue South, Suite 500
Seattle Wa 98104

http://www.watchguard.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPZS8+k3Vi9lbkWzpEQLikQCeKrE3Xy0REXvEpenfUy3M9N+3yYIAmwTP
sZ8Bm5RL380Lev+PYAm38WVc
=qWY9
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic