Overview
IPsec implementations from multiple vendors do not adequately validate the authentication data in IPsec packets, exposing vulnerable systems to a denial of service.
Description
For background: BindView RAZOR has reported a vulnerability that exists in KAME (FreeBSD, NetBSD), FreeS/WAN (Linux), and possibly other IPsec implementations. While processing an IPsec datagram, vulnerable implementations do not properly calculate the length of the authentication data field for very small datagrams, resulting in an unsigned integer overflow. The ICV is then calculated for an overly large range of memory, which could cause a kernel panic on vulnerable systems. KAME, FreeBSD, and NetBSD are vulnerable due to the way they handle Encapsulating Security Payload (ESP) datagrams. |
Impact
A remote attacker could crash a vulnerable system with a specially crafted IPsec packet. The attacker would need to supply the source and destination IP addresses, the Security Parameters Index (SPI), and a suitably large sequence number. All of this information is transmitted in plain text. |
Solution
|
|
Vendor Information
Apple Computer Inc. Affected
Notified: August 20, 2002 Updated: October 15, 2002
Status
Affected
Vendor Statement
Vulnerable systems:
Mac OS X 10.2
Mac OS X Server 10.2
Fixed in:
- Mac OS X 10.2.1
Mac OS X Server 10.2.1
Software updates are available from the "Software Update" pane in System Preferences or from the Apple Software Downloads site:
- Mac OS X Update 10.2.1
http://docs.info.apple.com/article.html?artnum=120147
- Mac OS X Server Update 10.2.1
http://docs.info.apple.com/article.html?artnum=120149
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Debian Affected
Notified: August 20, 2002 Updated: December 11, 2002
Status
Affected
Vendor Statement
Please see Debian Security Advisory DSA-201.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
FreeBSD Affected
Notified: August 21, 2002 Updated: October 15, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
This vulnerability has been addressed in FreeBSD 4.7-RELEASE:
http://www.FreeBSD.org/cgi/cvsweb.cgi/src/sys/netinet6/esp_input.c#rev1.1.2.7
If you have feedback, comments, or additional information about this vulnerability, please send us email.
FreeS/WAN Affected
Notified: August 20, 2002 Updated: December 02, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
FreeS/WAN 1.99 appears to address this issue:
[http://www.freeswan.org/freeswan_trees/freeswan-1.99/CHANGES]
"ESP (and AH, IPCOMP) potential DOS fix."
[/klips/net/ipsec/ipsec_rcv.c]
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Global Technology Associates Affected
Updated: October 17, 2002
Status
Affected
Vendor Statement
After analyzing the IPSec issue described in VU#459371 Global Technology Associates, Inc. has determined that GTA firewall products running GNAT Box system software version prior to version 3.3.1 are vulnerable to this attack. GTA has released system software updates to correct this vulnerability.
For users with systems running GNAT Box system software version 3.3.0 a system software update version 3.3.1 is available from GTA's Online Support Center.
For users with systems running GNAT Box system software version 3.2.x a system software update version 3.2.6 is available from GTA's Online Support Center.
For users with systems running GNAT Box system software version 3.1.x or earlier no software update is available. Users should either upgrade to version 3.3.1 or add Remote Access filters to restrict access to designated remote VPN gateways.
To report potential security vulnerabilities in GTA products, send an E-mail message to: security-alert@gta.com.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM Affected
Notified: August 21, 2002 Updated: December 11, 2002
Status
Affected
Vendor Statement
The AIX operating system is vulnerable to the IPSec issues in releases 4.3.3, 5.1.0 and 5.2.0. Temporary patches are available through an efix package. The efix is available at the following URL:
ftp://ftp.software.ibm.com/aix/efixes/security/ipsec_efix.tar.Z
The following APARs will be available in the near future:
AIX 4.3.3 APAR IY37800 (available approx 1/29/03)
AIX 5.1.0 APAR IY37069 (available approx 12/18/02)
AIX 5.2.0 APAR IY37182 (available approx 4/28/03)
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Internet Initiative Japan (IIJ) Affected
Notified: October 15, 2002 Updated: December 11, 2002
Status
Affected
Vendor Statement
IIJ SEIL/neu routers
Firmware prior to 1.63 are vulnerable to this problem. Upgrade to firmware 1.63 or later (available at http://www.seil-neu.com/). If you do are not using IPsec, you are not affected, however, we suggest you to upgrade the firmware in any case.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
KAME Project Affected
Notified: August 21, 2002 Updated: October 15, 2002
Status
Affected
Vendor Statement
all past KAME-based implementations are vulnerable. which includes:
MacOS 10.2
BSDi/WindRiver BSD/OS 4.2 and beyond
NetBSD 1.5 and beyond
FreeBSD 4.0 and beyond
and probably (if they enable IPsec)
- Juniper JunOS
Extreme Networks ExtremeWare
WindRiver VxWorks
Hitachi GR2000 router [CommWorks Total Control 100]
Fujitsu GeoStream 920/940 router
NEC IX5000
IIJ SEIL
the problem has corrected on kame tree on 2002/08/21.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
For authoritative statements, please reference specific vendor records.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NEC Corporation Affected
Notified: August 21, 2002 Updated: December 11, 2002
Status
Affected
Vendor Statement
sent on December 4, 2002
[Router Products]
- IX 5000 Series
- IX 1000 / 2000 Series (IX1010, IX1011, IX1020, IX1050, Bluefire IX1035 and IX2010)
- Fixed verion is 4.2.13 or greater.
- To get fixed software, please contact to: <>
- More information (in Japanese): <>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NetBSD Affected
Notified: August 21, 2002 Updated: October 22, 2002
Status
Affected
Vendor Statement
See NetBSD security advisory SA2002-016.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
eSoft Affected
Notified: October 11, 2002 Updated: October 15, 2002
Status
Affected
Vendor Statement
eSoft InstaGate is only vulnerable to this denial of service attack if the attacker knows both the IP address of a tunnel endpoint and the SPI value for that tunnel. A patch is available through eSoft's SoftPak Director.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Alcatel Not Affected
Notified: August 21, 2002 Updated: October 15, 2002
Status
Not Affected
Vendor Statement
In relation to this CERT advisory on security vulnerability in IPsec implementations, Alcatel has conducted an immediate assessment to determine any impact this may have on our portfolio. An initial analysis has shown that none of our products is affected when used as delivered to customers. In particular, the OmniAccess 210, 250, 512 and OmniPCX Office are not affected.
Customers may contact their Alcatel support representative for more details. The security of our customers' networks is of highest priority for Alcatel. Therefore we continue to test our product portfolio against potential security vulnerabilities in our products using IPsec technology and will provide updates if necessary.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Avaya Not Affected
Notified: August 21, 2002 Updated: December 11, 2002
Status
Not Affected
Vendor Statement
Avaya VPN products, including the VPN Service Unit (VSU) Series of VPN Gateways as well as the VPNremote desktop VPN client software, do not exhibit this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Borderware Not Affected
Notified: October 10, 2002 Updated: October 18, 2002
Status
Not Affected
Vendor Statement
We have determined that no BorderWare products are vulnerable to the attacks described in VU#459371.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cisco Systems Inc. Not Affected
Notified: August 20, 2002 Updated: October 21, 2002
Status
Not Affected
Vendor Statement
Cisco products are not vulnerable to this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Clavister Not Affected
Notified: August 21, 2002 Updated: August 22, 2002
Status
Not Affected
Vendor Statement
Clavister Firewall with VPN module: Not vulnerable.
Clavister VPN Client: Not vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cray Inc. Not Affected
Notified: August 20, 2002 Updated: October 15, 2002
Status
Not Affected
Vendor Statement
Cray, Inc. is not vulnerable as we provide no software that performs this type of function.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hewlett-Packard Company Not Affected
Notified: August 20, 2002 Updated: October 15, 2002
Status
Not Affected
Vendor Statement
SOURCE: Hewlett-Packard Company and Compaq Computer Corporation, a wholly-owned subsidiary of Hewlett-Packard Company
RE: x-reference SSRT2326 IPSEC
Not Vulnerable:
- HP-UX
HP-MPE/ix
HP Tru64 UNIX
HP NonStop Servers
HP OpenVMS
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hitachi Not Affected
Notified: August 27, 2002 Updated: October 15, 2002
Status
Not Affected
Vendor Statement
We've checked up on our router (Hitachi,Ltd. GR2000 series) about VU#459371. Our IPsec implemantation is NOT vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Intoto Not Affected
Notified: October 11, 2002 Updated: October 18, 2002
Status
Not Affected
Vendor Statement
Intoto analyzed iGateway AH and ESP implementation for the DoS threat published in VU#459371, and found that iGateway is not vulnerable to this DoS attack.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Lucent Not Affected
Notified: September 09, 2002 Updated: October 15, 2002
Status
Not Affected
Vendor Statement
The Edge Switching and Routing products (specifically, the B-STDX 9000, CBX500, GX550, PSAX family and Springtide family) are not vulnerable to VU 459371.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Microsoft Corporation Not Affected
Notified: August 21, 2002 Updated: October 17, 2002
Status
Not Affected
Vendor Statement
Microsoft has conducted a thorough investigation based on this report. Microsoft products are not affected by this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MontaVista Software Not Affected
Notified: August 21, 2002 Updated: October 21, 2002
Status
Not Affected
Vendor Statement
MontaVista does not ship any IPSec applications, thus this is not applicable to us. We are not vulnerable to vu459371.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NetScreen Not Affected
Notified: August 27, 2002 Updated: August 29, 2002
Status
Not Affected
Vendor Statement
NetScreen's Global PRO family of network management applications does not use IPSec and is not vulnerable to the issues raised in VU#459371.
NetScreen has determined that ScreenOS, the operating software for NetScreen security devices, is not vulnerable to the issues raised in VU#459371.
The IPSec implementation in the NetScreen Remote family of VPN and security clients has been examined and NetScreen has determined that it is not vulnerable to the issues raised in VU#459371.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Network Appliance Not Affected
Notified: October 10, 2002 Updated: October 15, 2002
Status
Not Affected
Vendor Statement
NetApp products are not vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Nortel Networks Not Affected
Notified: August 21, 2002 Updated: December 11, 2002
Status
Not Affected
Vendor Statement
The following Nortel Networks products implement IPsec but are not affected by the vulnerabilities noted in VU#459371:
The Preside Multi-Service Data Manager (MDM) is not affected.
There are no issues with the Contivity Platform, this includes the:
Contivity 600/1500/1600/2000/2500/2600/4500/4600
Contivity 1010/1050/1100
Contivity 1700/2700
Contivity software releases 3.5 and beyond including the Contivity VPN Client
The Shasta 5000 Broadband Services Node is not affected.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Openwall GNU/*/Linux Not Affected
Notified: August 21, 2002 Updated: October 21, 2002
Status
Not Affected
Vendor Statement
Openwall GNU/*/Linux is not vulnerable. We don't yet support IPsec.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SSH Communications Security Not Affected
Notified: August 21, 2002 Updated: December 11, 2002
Status
Not Affected
Vendor Statement
1. CERT/CC Vulnerability Note VU#459371
=======================================
Multiple IPSec implementations do not adequately validate
authentication data:
CERT/CC has announced a new vulnerability on IPSec (see the
"Vulnerability Note VU#459371" referred). Based on our review, SSH
IPSEC Express Toolkit 4.x/5.x and SSH QuickSec Toolkit 1.x are not
vulnerable to the attack described. The sanity check relevant for
this functionality is located in the transform code of the IPSec
packet processing.
More information can be found at:
http://www.kb.cert.org/vuls/id/459371
This vulnerability has been assigned CAN-2002-0666 by CVE.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SafeNet Not Affected
Notified: August 20, 2002 Updated: October 15, 2002
Status
Not Affected
Vendor Statement
SafeNet's VPN clients are not susceptible to this vulerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sun Microsystems Inc. Not Affected
Notified: August 21, 2002 Updated: August 29, 2002
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Conectiva Unknown
Notified: August 20, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Data General Unknown
Notified: August 20, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Extreme Networks Unknown
Notified: October 11, 2002 Updated: October 15, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
F-Secure Unknown
Notified: August 21, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Fujitsu Unknown
Notified: August 21, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Guardian Digital Inc. Unknown
Notified: August 21, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Juniper Networks Unknown
Notified: August 21, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MandrakeSoft Unknown
Notified: August 21, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NIST Unknown
Notified: August 21, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NeXT Unknown
Notified: August 21, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Network Associates Unknown
Notified: August 20, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Novell Unknown
Notified: December 11, 2002 Updated: December 11, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenBSD Unknown
Notified: August 20, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
PGP Unknown
Notified: August 21, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Red Hat Inc. Unknown
Notified: August 21, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SGI Unknown
Notified: August 21, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sequent Unknown
Notified: August 21, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sony Corporation Unknown
Notified: August 20, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SuSE Inc. Unknown
Notified: August 20, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
The SCO Group (SCO Linux) Unknown
Notified: August 21, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Unisys Unknown
Notified: August 21, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Wind River Systems Inc. Unknown
Notified: August 21, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
The CERT/CC thanks Todd Sabin of BindView RAZOR for discovering and reporting this issue.
This document was written by Art Manion.
Other Information
| CVE IDs: | CVE-2002-0666 |
| Severity Metric: | 5.14 |
| Date Public: | 2002-10-17 |
| Date First Published: | 2002-10-17 |
| Date Last Updated: | 2003-01-06 21:56 UTC |
| Document Revision: | 24 |