AUSCERT External Security Bulletin Redistribution

                   ESB-2001.381 -- NAI Security Advisory
                             6 September 2001


        AusCERT Security Bulletin Summary

Product:                Gauntlet for Unix version 5.x and 6.0
                        PGP e-ppliance 300 series versions 1.0, 1.5, 2.0
                        PGP e-ppliance 1000 series versions 1.5, 2.0
                        McAfee e-ppliance 100 and 120 series
                        McAfee WebShield for Solaris v4.1
Impact:                 Execute Arbitrary Code/Commands
Access Required:        Remote

Ref:  http://www.pgp.com/support/product-advisories/csmap.asp

- --------------------------BEGIN INCLUDED TEXT--------------------


Title:  Gauntlet Firewall for Unix and WebShield CSMAP and smap/smapd
        Buffer Overflow Vulnerability Advisory
Date:   September 4, 2001
Author: Gauntlet Firewall Engineering 


A security vulnerability has been discovered in smap/smapd on the
following products: 
 Gauntlet for Unix versions 5.x 
 PGP e-ppliance 300 series version 1.0 
 McAfee e-ppliance 100 and 120 series 

A security vulnerability has been discovered in CSMAP on the following
 Gauntlet for Unix version 6.0 
 PGP e-ppliance 300 series versions 1.5, 2.0 
 PGP e-ppliance 1000 series versions 1.5, 2.0 
 McAfee WebShield for Solaris v4.1 

This security vulnerability is a Buffer Overflow in the smap/smapd
and CSMAP daemons. The smap/smapd and CSMAP daemons are responsible
for handling e-mail transactions for both inbound and outbound
e-mail. It is possible to exploit this Buffer Overflow vulnerability
to execute arbitrary shell commands with the same privileges as
the owner of the corresponding daemon.


A patch to repair this vulnerability is available for all products
listed above at ftp://ftp.nai.com/pub/security/ and
http://www.pgp.com/naicommon/download/upgrade/upgrades-patch.asp for
the Gauntlet and PGP e-ppliance products and www.mcafeeb2b.com for the
McAfee e-ppliance and WebShield products. 

This patch is a mandatory patch that includes a new version of the
corresponding daemons and addresses the buffer overflow.  Instructions
for installing the patch are included in the README file contained
within the patch.

Gauntlet v.5.x users on HP-UX must have HP-UX patch PHCO_16723 or
later installed for the smap/smapd patch to function properly, as
there is a dependency upon the library contained in that HP patch.
The smap/smapd patch for Gauntlet v.5.x makes a check for the
presence of the latest iteration of this patch (PHCO_23684). If
this patch is not present, it will inform the user that PHCO_16723
or later is required and prompt the user if they want to continue.
Failure to have PHCO_16723 or later will prevent all e-mail traffic
if the smap/smapd patch is installed. PHCO_23684 is available from
the HP support web site. The required library is built into HP-UX
v.11.0, so Gauntlet v.6.0 users on HP-UX do not require an additional

CREDITS: PGP Security acknowledges one of its partners, Garrison
Technologies, Inc., for notification about this problem. 

(C) 2001, Networks Associates Technology, Inc. All Rights Reserved.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key