CERT Advisory CA-2001-24 Vulnerability in OpenView and NetView

• Systems running HP OpenView Network Node Manager (NNM) Version 6.1 on the following platforms:
• HP9000 Servers running HP-UX releases 10.20 and 11.00 (only)
• Sun Microsystems Solaris releases 2.x
• Microsoft Windows NT4.x / Windows 2000
• Systems running Tivoli NetView Versions 5.x and 6.x on the following platforms:
• IBM AIX
• Sun Microsystems Solaris
• Compaq Tru64 Unix
• Microsoft Windows NT4.x / Windows 2000

Overview

I. Description

ovactiond is the SNMP trap and event handler for both OpenView and NetView. There is a vulnerability in ovactiond that allows an intruder to execute arbitrary commands by sending a malicious message to the management server. These commands run with the privileges of the ovactiond process, which varies according to the operating system.

OpenView version 6.1 is vulnerable in the default configuration. Versions prior to 6.1 are not vulnerable in the default configuration, but there are public reports that versions prior to 6.1 may be vulnerable if users have made customizations to the trapd.conf file.

On June 21, 2001, HP released a security bulletin (HP SB #154) and a patch for this vulnerability in OpenView version 6.1. For more information, see

II. Impact

An intruder can execute arbitrary commands with the privileges of the ovactiond process. On UNIX systems, ovactiond typically runs as user bin; on Windows systems it typically runs in the Local System security context. On Windows NT systems, this allows an intruder to gain administrative control of the underlying operating system. On UNIX systems, an intruder may be able to leverage bin access to gain root access.

Additionally, systems running these products often have trust relationships with other network devices. An intruder who compromises these systems may be able to leverage this trust to compromise other devices on the network or to make changes to the network configuration.

III. Solution

Apply a patch

Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly.

Appendix A. - Vendor Information

This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.

Apple

Mac OS X and Mac OS X Server do not have this vulnerability.

Computer Associates

Computer Associates has completed a review of all Unicenter functions and processing related to SNMP traps as indicated by the advisory. Unicenter is not subject to the same vulnerabilities as demonstrated by the SNMP trap managers identified by CERT (i.e., OpenView and NetView). CA Unicenter does not formulate commands determined through trap data parsing. Unicenter implements this technology using different methods and thereby avoids this exposure. Computer Associates maintains strong relationships with these vendors and recommends that clients running any environments containing either of these products visit the website URLs specifically identified by the CERT Coordination Center.

FreeBSD

FreeBSD does not use this code.

Fujitsu

Regarding VU#952171, Fujitsu's UXP/V operating system is not affected because there's no implementation of any OpenView Technology in UXP/V.

Hewlett-Packard

On June 21, 2001, HP released a security bulletin (HP SB #154) and a patch for this vulnerability in OpenView version 6.1. For more information, see

Microsoft

NNM is a third-party application as far as our platform is concerned. We don't have any special relationship with it. HP would need to provide the patches.

Tivoli