HP patches critical security holes in Tru64 Unix

Vulnerabilities have been found in HP's high-end Unix operating system that could allow attackers to take over a server or knock it offline

Critical security vulnerabilities in HP's Tru64 Unix operating system were patched on Friday after it was discovered that implementations of IPsec and SSH programs, which carry VPN and secure system command traffic, were vulnerable to attackers.

The vulnerabilities are an embarrassment to HP because both were found in vital components of the operating system and both could enable malicious users to either take control of a machine or launch a denial of service attack. SSH, a secure Telnet program, is used to securely send commands to a server, while IPSec is used to create virtual private networks to carry encrypted information over the Internet between two computers.

Although full details about the vulnerabilities have not been published, HP has issued patches that will fix any known problems. Only HP's Tru64 UNIX 5.1B is affected and fixes for both the IPsec software and SSH software can be found on HP's Web site.

IPSec version 2.1.1 and SSH version 3.2.2 are not vulnerable and can be downloaded from HP's Web site.

HP's Tru64 version of Unix, which came from Digital Equipment, is being phased out in favour of HP-UX and engineers have been working to bring some of Tru64's features to HP-UX.

HP is gradually phasing out Tru64, which runs on the AlphaServer line, and is encouraging customers to move to its Integrity line of servers based on Intel's Itanium processor. Improvements to HP-UX include cluster technology to share services across a group of servers, long a Digital forte. HP-UX 11i v3, the version slated to incorporate the technology, is now scheduled for release in the second half of 2005 rather than by the end of 2004.