Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
ovactiond is a component of OpenView by Hewlett-Packard
Company (HP) and NetView by
Tivoli, an IBM Company (Tivoli). These products are used to manage
large systems and networks. There is a serious vulnerability in
ovactiond that allows intruders to execute arbitrary commands with
elevated privileges. This may subsequently lead to an intruder gaining
administrative control of a vulnerable machine.
ovactiond is the SNMP trap and event handler for both OpenView
and NetView. There is a vulnerability in ovactiond that allows an
intruder to execute arbitrary commands by sending a malicious message
to the management server. These commands run with the privileges of
the ovactiond process, which varies according to the operating
system. OpenView version 6.1 is vulnerable in the default
configuration. Versions prior to 6.1 are not vulnerable in the default
configuration, but there are public reports that versions prior to 6.1
may be vulnerable if users have made customizations to the trapd.conf
file.
On June 21, 2001, HP released a security bulletin (HP SB #154) and
a patch for this vulnerability in OpenView version 6.1. For more
information, see
Tivoli NetView versions 5.x and 6.x are not vulnerable with the
default configuration. It is, however, likely that customized
configurations are vulnerable. This security vulnerability only exists if
an authorized user configures additional event actions and specifies
potentially destructive varbinds (those of type string or opaque). Tivoli
has developed a patch for versions 5.x and 6.x. The patch addresses the
vulnerability in ovactiond, as well as taking preventative measures on
other components specific to NetView. Tivoli has published information on this vulnerability at
An intruder can execute arbitrary commands with the privileges of the
ovactiond process. On UNIX systems, ovactiond typically runs as user
bin; on Windows systems it typically runs in the Local System security
context. On Windows NT systems, this allows an intruder to gain
administrative control of the underlying operating system. On UNIX
systems, an intruder may be able to leverage bin access to gain root
access.
Additionally, systems running these products often have trust
relationships with other network devices. An intruder who compromises
these systems may be able to leverage this trust to compromise other
devices on the network or to make changes to the network configuration.
Appendix A contains information provided by vendors for this
advisory. We will update the appendix as we receive more
information. If you do not see your vendor's name, the CERT/CC did not
hear from that vendor. Please contact your vendor directly. This appendix contains information provided by vendors for this
advisory. When vendors report new information to the CERT/CC, we
update this section and note the changes in our revision history. If
a particular vendor is not listed below, we have not received their
comments.
Mac OS X and Mac OS X Server do not have this vulnerability.
Computer Associates has completed a review of all Unicenter functions and processing related to SNMP traps as indicated by the advisory. Unicenter is not subject to the
same vulnerabilities as demonstrated by the SNMP trap managers identified by CERT (i.e., OpenView and NetView). CA Unicenter does not formulate commands determined through
trap data parsing. Unicenter implements this technology using different methods and thereby avoids this exposure. Computer Associates maintains strong relationships with
these vendors and recommends that clients running any environments containing either of these products visit the website URLs specifically identified by the CERT
Coordination Center.
FreeBSD does not use this code.
Regarding VU#952171, Fujitsu's UXP/V operating system is not affected
because there's no implementation of any OpenView Technology in UXP/V.
On June 21, 2001, HP released a security bulletin (HP SB #154) and
a patch for this vulnerability in OpenView version 6.1. For more
information, see
NNM is a third-party application as far as our platform is concerned.
We don't have any special relationship with it. HP would need to provide
the patches.
Tivoli acknowledges that certain user customizations to Tivoli
NetView may lead to a potential security exposure. Please reference
http://www.tivoli.com/support/ for further information and to obtain
an e-fix which addresses the issue.
The CERT Coordination Center thanks Milo G. van der Zee for
notifying us about this problem, and Tivoli and Hewlett-Packard for
other information used in the construction of this advisory. Feedback on this document can be directed to the authors, Jason
A. Rafail and Shawn Hernan.
Copyright 2001 Carnegie Mellon University. Revision History
Systems Affected
Overview
I. Description
II. Impact
III. Solution
Apply a patch
Appendix A. - Vendor Information
Apple
Computer Associates
FreeBSD
Fujitsu
Hewlett-Packard
Microsoft
Tivoli
References
August 15, 2001: Initial release