The BlueCat Customer Care team is your single point of contact for technical expertise and best-in-class 24/7/365 product support. We listen. We understand. We care.
Two vulnerabilities have been announced – CVE-2014-6271 and CVE-2014-7169 which affect the version of bash command shell used by both Address Manager (Proteus) and DNS/DHCP Server (Adonis)
All Address Manager (Proteus) and DNS/DHCP Server (Adonis) versions.
A vulnerability was discovered in the bash shell related to how bash processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment.
NOTE: Although both systems use a vulnerable version of the bash command shell, no remote exploits could be found. Although the systems are not exploitable remotely, BlueCat does recognize the visibility and attention associated with this security vulnerability and has released a patch to update all supported systems to a non-vulnerable version of the bash shell.
Please visit Care and review KB-7446 to download the patch and associated release notes.
A vulnerability has been announced - CVE-2014-0160 which affects the version of SSL used by BlueCat.
All Address Manager (Proteus) 4.x and DNS/DHCP Server (Adonis) 7.x versions.
By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys. By leveraging this information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL.
OpenSSL contains a flaw in its implementation of the TLS/DTLS heartbeat functionality (RFC6520). This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL libssl library in chunks of 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets. The sensitive information that may be retrieved using this vulnerability include:
• Primary key material (secret keys)
• Secondary key material (user names and passwords used by vulnerable services)
• Protected content (sensitive data used by vulnerable services)
• Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)
Please visit Care and review KB-6745 to download the patch and associated release notes.
A vulnerability has been announced by the ISC (Internet Systems Consortium) - CVE-2014-0591 which affects ISC BIND.
Authoritative name servers using DNSSEC with at least one NSEC3-signed zone.
A specially crafted query against an NSEC3-signed zone can crash DNS.
Because of a defect in handling queries for NSEC3-signed zones, BIND can crash with an "INSIST" failure in name.c when processing queries possessing certain properties. By exploiting this defect an attacker deliberately constructing a query with the right properties could achieve denial of service against an authoritative nameserver serving NSEC3-signed zones.
Affected Adonis Versions:
BlueCat's assessment of CVE-2014-0591 has determined that all supported versions of Adonis are affected. A patch has been released to address the issue for these affected versions.
Please visit Care and review KB-6419 to download the patch and associated release notes.
© 2001-2014 BlueCat Networks - All Rights Reserved - Privacy