HP has been hit by two security holes - one in its Internet Express, used with Tru64 servers, and a second in its authentication system OpenView.
A number of serious vulnerabilities have been found in the Washington University FTP daemon (WU-FTPD) - the replacement FTP daemon for Unix systems - which forms part of HPs Internet Express, its collection of internet and administration software provided with Tru64 AlphaServer systems.
The most serious of these vulnerabilities affects versions up to 2.6.2 of the software, delivered as part of Internet Express 6.2, and is caused by a boundary error in the S/KEY challenge handling procedure. It can be exploited by putting in over-long user details to create a buffer overflow. Then, a malicious program can be run on the computer.
For the vulnerabilities to be exploitable, S/KEY authentication must be enabled, reducing the overall risk. However HP failed to answer our questions over how many customer installations were left open to attack. HP has produced a patch - available here.
HP also acknowledged a "moderately critical" vulnerability in OpenView Operations, specifically in its authentication facility, affecting versions 7.x of OpenView for HP-UX and Solaris, as well as version 6.x of OpenView VantagePoint for the same two OSes.
In this case, the vulnerability consists of the possibility of bypassing the authentication process, caused by a missing authentication check. Another patch for this hole can be found here.