Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

AXENT ESM 4.5

From: sjackson () AXENT COM (Steve Jackson)
Date: Fri, 25 Sep 1998 17:54:25 -0600

Since this went to the entire list, I'll reply to the list for the benefit
of all.

Today, ESM 4.5 can be ordered through the normal AXENT Technologies product
channels.  Currently AXENT account managers are located through out the
world and can take your order for ESM version 4.5.  It has been shipping
since March, 1998.

AXENT products are rolled out to the majority of the Fortune 500 companies
in the US and Worldwide, and those same companies rely heavily upon ESM
being robust in order to provide proven products for general availability.
The product goes through 3 major cycles: Beta, ESP and GA.  Currently 4.4 is
the GA product and 4.5 is in the ESP phase (soon to be GA).  By going
through a full production ESP cycle, then customers that desire the
additional functionality can acquire the ESP product and those that want to
wait for the GA release can do so.

Steve Jackson

                -----Original Message-----
                From:   dcupp () SNAKEBITE COM [mailto:dcupp () SNAKEBITE COM]
                Sent:   Thursday, September 24, 1998 3:23 PM
                To:     BUGTRAQ () NETSPACE ORG
                Subject:        Re: Security Hole in Axent ESM

                Steve,

                What is the real story with 4.5?   I tried getting an
upgrade without sucess.  Your email signature indicates you are the product
manager for AXENT ESM.

                According to Axent technical support ESM 4.4 is the latest
GA version of ESM.  ESM 4.5 is not the product shipped to customers who
order ESM today.  Support could not tell me how to receive a copy of 4.5.

                This conflicts with your claims that ESM 4.5 with security
fixes has been shipping since March of 1998 and this still leaves my network
vulnerable to someone modifying binaries and spoofing the CRC checksums.

                IMHO, leaving the CRC file checksums and just adding the MD5
as an option in future versions of ESM may not be clear to most customers
that CRC's can be easily spoofed and are weak checksums.  Is there any
reason you don't make MD5 the default requirement if you are doing checksums
and remove CRC's?

                Maybe you can provide clarifications on where to get the
security fixes for ESM 4.5 to make it secure?  Your tech support needs the
information as well.

                Dan Cupp
                System Administrator
                UNIX / PERL Ninja!



                ---------------------------------------------------
                Get free personalized email at http://www.iname.com
Previous By Date Next
Previous By Thread Next

Current thread: