HP's Unix endures much of the same onslaught of hacker vulnerabilities as other Unixes. A Security Bulletin from this week, one of the steady string of reports which keeps up with needed patches for HP-UX, illustrates how new Internet features expose new breeches in the OS that HP prefers for replacing migrating HP 3000s.
The latest bulletin warns users of HP-UX v11 that the IPv6 capabilities of the OS can provide a back door to Denial of Service attacks. HP devised a patch to close the DoS vulnerability before it warned customers about the exploit. In contrast, last week HP simply advised HP 3000 sites to stop using a compromised part of MPE/iX, the seldom-employed BIND/iX DNS module.
BIND/iX seemed like a good idea at the time, to give the 3000 a full complement of Internet tool and enable intranets. It never caught on. "I never did understand why it was released," said 3000 consultant Joe Horrigan. "A cheap white box [PC] can do the same function using Linux or Windows. Not a good use for a 3000 system costing $100,000."
For customers who have access to the HP IT Response Center Knowledge Base, the IPv6 bulletin can be read online at the HP site. HP never put IPv6 into MPE/iX, so the 3000's OS already has its usual patch: security through differences with the rest of the world's Unix users. In this case, the security has been provided by HP's lack of protocol support. Call it Security Through Omission, if you want.
If you're keeping score over the past week on Security Bulletins, the resolutions are tied: HP-UX 1, MPE/iX 1.
An HP-UX Security Bulletin is not a rare creature at all. Here's one from this morning, even more wide-ranging:
Potential security vulnerabilities have been identified with HP-UX running Apache-based Web Server or Tomcat-based Servelet Engine. The vulnerabilities could be exploited remotely to cause a Denial of Service (DoS), cross-site scripting (XSS), execution of arbitrary code, or cross-site request forgery (CSRF). Apache-based Web Server and the Tomcat-based Servelet Engine are contained in the Apache Web Server Suite.
To resolve the IPv6 problem, HP gives the HP-UX customer any of three patches needed for versions 11.11, 11.23 and 11.31, which pretty much covers the v11 installed base. HP's Unix users don't have to apply the patches manually. These days the OS employs HP-UX Software Assistant, "an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system."
Software Assistant downloads patches and creates a depot for a customer site on a local server. Apple's OS X now does much the same thing, downloading patches to the Mac's variant of Unix and then prompting administrators to restart, if they want to accept a patch, to install it into the OS.
It might be something of a comment on the new world of Security Bulletins than an OS needs something like Software Assistant to check often for vulnerabilities. MPE/iX never needed that, so rare are its compromises. But at least HP has engineered an automated way to protect its Unix customers. You can learn more about Software Assistant at the HP Web site.
As for a full resolution of BIND/iX vulnerability on a 3000, Horrigan checked out the new generation of BIND, which is an open source tool. It's a project that, considering its security implications, might not find a lot of volunteers.