A vulnerability has been identified in HP OpenVMS, which could be exploited by malicious users to obtain sensitive information. This flaw is due to an error in the "NET$SESSION_CONTROL" module that stores certain passwords in the audit logfile when a connection attempt is made with the right password after a "network breakin" event, which could be exploited by local attackers to disclose sensitive information.

Affected Products

HP OpenVMS ALPHA version 7.3-2
HP OpenVMS ALPHA version 8.2

Solution

Apply patch for HP OpenVMS ALPHA version 7.3-2 :
ftp://ftp.itrc.hp.com/openvms_patches/alpha/V7.3-2/AXP_DNVOSIECO03-V732.PCSI-DCX_AXPEXE

Apply patch for HP OpenVMS ALPHA version 8 :
ftp://ftp.itrc.hp.com/openvms_patches/alpha/V8.2/AXP_DNVOSIECO02-V82.PCSI-DCX_AXPEXE

References

http://www.vupen.com/english/advisories/2006/3423
ftp://ftp.itrc.hp.com/openvms_patches/alpha/V7.3-2/AXP_DNVOSIECO03-V732.txt
ftp://ftp.itrc.hp.com/openvms_patches/alpha/V8.2/AXP_DNVOSIECO02-V82.txt

Credits

Vulnerability reported by the vendor

Changelog

2006-09-01 : Initial release

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.