lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <s3f2fd85.068@gordias.tbgfinancial.com>
Date: Wed, 15 Feb 2006 10:07:36 -0800
From: "Brian Boner" <BBoner@...financial.com>
To: <bugtraq@...urityfocus.com>, <vuldb@...urityfocus.com>
Subject: Bugs/Security issues with PatchLink's Update Server


Security Focus,

I have been reporting issues to PatchLink Support for two years now with little & no resolution on most of the things I find.  Because they are such a large patch management platform I think it is important that they be responsible for their coding practices.  But even trying to work with the company directly, they are not fixing the issues that have plagued their system for a long time now, including fundamental flaws in vulnerability detection.
For each entry, I am including my internal tracking number then their ticket number if one was generated and then a short text about the issue.  As an example:
PatchLink Issue #10 - #8712 - Adding Domain users causes the Status screen to display unexpected text.
The 10> is my tracking number & #8712 is a ticket with PatchLink Support.
So if you ever needed the e-mail trail, I'd be happy to forward it to you.  All I would need is my tracking number.  I've recorded all calls & e-mails in my tickets.

I am going to add all relevant tickets/issues I have with Update Server.  Use what you deem appropriate.  Since this is my first time writing to a company/forum like this, could you please let me know what happens next to the information I provide in this e-mail?  As an example, where would I go to see what your company has published?

My company uses:
PLUS (PatchLink Update Server) version: 6.2.0.189
Update Agent version: 6.2.0.181
The PLUS server is joined to a domain.

10>	Opened 2004/08/04 - Closed xxxx/xx/xx - #8712 - Adding Domain users causes the Status screen to display unexpected text.
Note: This issue is about the gibberish that returns when granting domain users access to the application.  When adding more than one person, the wizard does grant individuals to the incorrect roles/groups to individuals.  This wizard does not work properly.  It can grant some users more access than the admin intended.

30>	Opened 2005/01/13 - Closed xxxx/xx/xx - #8716 - How machines appear in the patched status for the most current service packs as well as previous service packs.
Note: This issue is the fact that the Update Server application does incorrect counting.  As an example, and this happens for sure with Windows & the Novell Client, If you had 10 Windows 2000 Professional machines with Service Pack 4, 8 Windows 2000 Professional machines with Service Pack 3, 6 Windows 2000 Professional machines with Service Pack 2 & 4 Windows 2000 Professional machines with Service Pack 1... you would receive the following report:
Windows 2000 Professional machines with Service Pack 1 = 28 (4 + 6 + 8 + 10)
Windows 2000 Professional machines with Service Pack 2 = 24 (6 + 8 + 10)
Windows 2000 Professional machines with Service Pack 3 = 18 (8 + 10)
Windows 2000 Professional machines with Service Pack 4 = 10 (10)

35>	Opened 2005/02/25 - Closed xxxx/xx/xx - # - Bug: Security issue, granting one drop down menu will give all drop down menu with the inventories.
Note: The Inventory section of Update server consists of 4 sub-sections, Operating Systems, Software, Hardware & Services.  Operating Systems is the default page.  In the administration portion of Update Server I can individually grant & revoke access to these pages to a role.  Yet the application does not work the way it should.  If Operating Systems is revoked but any of the other options are allowed, the end-user will not gain access to the Inventories section because Operating Systems is always the default.  Additionally, if Operating Systems is allowed and one of the other options, then access to all 4 will be allowed.

36>	Opened 2005/02/25 - Closed xxxx/xx/xx - # - Bug: Missing the option to grant Mandatory pages to roles.
Note: Within the admin/option portion of the application, the Mandatory page cannot be granted or revoked from a user.  All other pages for a group are controllable.

40>	Opened 2005/02/25 - Closed xxxx/xx/xx - # - Product Enhancement: List applications that ARE installed on a server.
Note: This patch management product cannot display what products ARE installed.  In a comparison with Shavlik's HFNetChk, this product can tell you which version of MDAC is installed as well as any other product HFNetChk can patch on the other hand Update Server cannot.

43>	Opened 2005/02/25 - Closed xxxx/xx/xx - # - Product Enhancement: In the deploy wizard, use hierarchical grey check boxes.
Note: I thought this one might be useful to add to this list.  If it isn't, disregard it.  Many mistakes have & can be made because there are long lists of patches and each company must be checked in certain situations.  I offered this suggestion as a product enhancement.

44>	Opened 2005/02/25 - Closed xxxx/xx/xx - # - Patch Request: Add KB832414 (as 823490).  This is for MSXML 2.6.
Note: Update Server does not support the latest service pack for MSXML 2.6.  This leads companies to a false sense of security.

45>	Opened 2005/02/25 - Closed xxxx/xx/xx - # - Patch Request: Add KB887606.  This is for MSXML 2.6, MSXML 3.0 Service Pack 3 & MSXML 4.0.
Note: This request is to add a hotfix patch.

46>	Opened 2005/02/25 - Closed xxxx/xx/xx - # - Product Enhancement: Have a logout feature.
Note: This product does not have a log out feature.  As an example, If two sessions of Internet Explorer are open, one to the PLUS server & another to www.msn.com. Then if the user closes the window to the PLUS server & leave the workstation un-locked.  A second user can walk up Press CTRL-N on the www.msn.com window and gain access to the PLUS server if they type the URL in the browser's address bar.

47>	Opened 2005/07/07 - Closed xxxx/xx/xx - #100-09-000046 - Why doesn't Adobe Acrobat and patches uninstall when I choose that option in the baseline?
Note: The PLUS server cannot uninstall Adobe Acrobat even though it is an option on the patch.

49>	Opened 2005/07/07 - Closed xxxx/xx/xx - #100-09-000046 - Tim & I believe that MS04-030 has a PatchLink pop-up that can be removed for Win2k and possibly WinXP.
Note: This patch does not act silently when the option to do so is set.  I have been un able to test this patch for a long time now.

51>	Opened 2005/10/26 - Closed xxxx/xx/xx - #001-00-006110 - 'Novell 2971589 Novell Client 4.91 Update 'A'' is automatically restarting workstations and the re are no event logs of the install.
Note: The deployment of this patch automatically restarts clients when the option to not do so is set.  Additionally it seems that the Novell Patch does not add any events to the Application Event Log.

52>	Opened 2005/11/02 - Closed xxxx/xx/xx - #001-00-006346 - SQL Server Desktop Engine (MSDE) 2000 SP4 not detected for all SQL installations (total missing = 7).
Note: Update Server has absolutely no way of detecting non-default installations of MSDE & SQL Server.  This leads to a false sense of security especially if this is your only patch management solution.  Additionally PatchLink do not publish this limitation to the public.

53>	Opened 2005/11/02 - Closed xxxx/xx/xx - #001-00-006347 - HFNetChkPro detects that MDAC 2.8 SP1 is needed for JMCGUIRE.  Update Server says it is installed.
Note: Update Server cannot correctly detect the need to install this patch.  I had a machine that had MDAC 2.8 SP1 but somehow one or two files that were replaced by older versions.  HFNetChk detected this situation but Update Server said the machine was patched.

55>	Opened 2005/11/03 - Closed xxxx/xx/xx - #001-00-007183 - Feature Enhancement: Add  'Idle' & 'Working' to "Computers" "Status" drop-down.
Note: I consider this a bug.  In the Computers section, 5 options are allowed in the "Status" drop down (--- All *-, Enabled, Sleeping, Offline, Disabled).  Yet in the Status column which this associates with there are 5 possibilities (Idle, Offline, Working, Sleeping & Disabled).

57>	Opened 2005/11/08 - Closed xxxx/xx/xx - #001-00-006499 - Outlook 2003 Junk E-mail Filter Update KB906173 (October 2005) is being offered to machines that have Outlook 2003 installed.  While, Windows/Microsoft Update offers this patch to any machine with Office 2003 installations that do not have Outlook 2003 installed.
Note: I don't know why PatchLink as  a company wouldn't add this patch or mimic the way Microsoft detects it with Windows update or Microsoft Update.  they have refused to add this.  I am quite positive that it is due to the fundamental flaws with the detection engine Update Server uses.  I also assume that If Office 2003 is installed on a machine without Outlook, Windows/Microsoft Update will still install the patch in anticipation of Outlook being added (or something like that).

58>	Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007041 - Product Enhancement: Add sorting by red R & green C column.
Note: I consider this a bug.  All other columns are sortable, why not this one.  I use it all the time to try to differentiate between machines that need a restart & those that don't.

60>	Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007186 - Request Microsoft XML Parser (MSXML) 2.6 SP3 to be added to the database.
Note: PatchLink seems to no longer be supporting a product they already support.  They do not offer the latest service pack for this application.  They do offer prior service packs.  This can lead companies into a false sense of security.

61>	Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007042 - BUG: When hovering over a machine's icon while in a Mandatory Baseline for a User created group when a assigned patch has been expanded, the date & time of the last connection are not available.
Note: This is a self-explanatory bug.

62>	Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007073 - Typo: Extra space in MS05-031 text string
Note: The text for all patches but this one are exactly the same if you viewed from a web page OR from the Export of a mandatory baseline.  I use the Exports to show configuration changes.  But when I use an exported spreadsheet & I copy a cell with a patch name and the paste it into the find window box of Internet Explorer when I am in the section to add or remove patches from a baseline... the pasted text does not match the name in the list.  This is not an Internet Explorer issue because the extra space is in the middle of the text.  PatchLink Support is refusing to add a (Rev 2) to this patch like they have done with other patches.

63>	Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007074 - Issue with MPSB05-07 Flash Player 7 patch & Update Servers' deployment
Note: This is a really big issue I have with PatchLink as a company.  When this patch came out (http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html) PatchLink as a company decided to not offer the patch that fixed this situation.  Macromedia offers this patch as well (http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=d9c2fe33).  Instead PatchLink packaged Macromedia's Flash Player 8 as the patch that fixed Flash Player 7.  They did note this in their Description.  But if you install their patch, vulnerable files still exist on the client that was "patched".  It is impossible to patch the vulnerable Flash Player 7 files using Update Server.  I have issues because they made a decision to patch a product with a new version of the application.  I have issues with PatchLink because this issue was raised to them and they have done nothing about this.  I have issues with their naming scheme because the patch name suggests that it will patch Flash Player 7 when it doesn't do this at all.  Note: In prior upgrades of Flash Play the old version was removed.  When Flash Player 8 came out, this no longer happened.

64>	Opened 2005/12/16 - Closed xxxx/xx/xx - #001-00-007528 - Trying to figure out why SQL Server patches are reported as missing
Note: From PatchLink: This is a known issue.  A missing registry key produces a false negative.

Well there you have it.  I hope that these qualify as bugs & security vulnerabilities that can benefit bugtraq.  So as I asked before, could you let me know what is going to happen to this information now that you have it?  Could you give me a URL that shows me where this information went to?


Regards,
Brian Boner
Sr. Systems Administrator
TBG Financial



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ