Original release date: August 15, 2001<BR> Last revised: --<BR> Source: CERT/CC<BR> <P>A complete revision history can be found at the end of this file. <A NAME="affected"> <H3>Systems Affected</H3> <UL> <LI>Systems running HP OpenView Network Node Manager (NNM) Version 6.1 on the following platforms:</LI> <UL> <LI>HP9000 Servers running HP-UX releases 10.20 and 11.00 (only)</LI> <LI>Sun Microsystems Solaris releases 2.x</LI> <LI>Microsoft Windows NT4.x / Windows 2000</LI> </UL> <LI>Systems running Tivoli NetView Versions 5.x and 6.x on the following platforms:</LI> <UL> <LI>IBM AIX <LI>Sun Microsystems Solaris <LI>Compaq Tru64 Unix <LI>Microsoft Windows NT4.x / Windows 2000</LI> </UL> <br> </ul> <A NAME="overview"> <H2>Overview</H2> <P> <i>ovactiond</i> is a component of <a href="http://www.openview.hp.com/">OpenView</a> by Hewlett-Packard Company (HP) and <a href="http://www.tivoli.com/products/index/netview/">NetView</a> by Tivoli, an IBM Company (Tivoli). These products are used to manage large systems and networks. There is a serious vulnerability in ovactiond that allows intruders to execute arbitrary commands with elevated privileges. This may subsequently lead to an intruder gaining administrative control of a vulnerable machine. </P> <A NAME="description"> <H2>I. Description</H2> <P> <i>ovactiond</i> is the SNMP trap and event handler for both OpenView and NetView. There is a vulnerability in ovactiond that allows an intruder to execute arbitrary commands by sending a malicious message to the management server. These commands run with the privileges of the ovactiond process, which varies according to the operating system. </p> <p>OpenView version 6.1 is vulnerable in the default configuration. Versions prior to 6.1 are not vulnerable in the default configuration, but there are public reports that versions prior to 6.1 may be vulnerable if users have made customizations to the trapd.conf file. <p>On June 21, 2001, HP released a security bulletin (HP SB #154) and a patch for this vulnerability in OpenView version 6.1. For more information, see <dl> <dd> <A href="http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000055277985">http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000055277985</a> </dd> <dd> <a href="http://www.kb.cert.org/vuls/id/952171"> http://www.kb.cert.org/vuls/id/952171</a> </dd> </dl> <p> Tivoli NetView versions 5.x and 6.x are not vulnerable with the default configuration. It is, however, likely that customized configurations are vulnerable. This security vulnerability only exists if an authorized user configures additional event actions and specifies potentially destructive varbinds (those of type string or opaque). Tivoli has developed a patch for versions 5.x and 6.x. The patch addresses the vulnerability in ovactiond, as well as taking preventative measures on other components specific to NetView. </P> <p>Tivoli has published information on this vulnerability at <DL> <DD><A HREF="http://www.tivoli.com/support/">http://www.tivoli.com/support/</a> </dd> </dl> <A NAME="impact"> <H2>II. Impact</H2> <P>An intruder can execute arbitrary commands with the privileges of the ovactiond process. On UNIX systems, ovactiond typically runs as user bin; on Windows systems it typically runs in the Local System security context. On Windows NT systems, this allows an intruder to gain administrative control of the underlying operating system. On UNIX systems, an intruder may be able to leverage bin access to gain root access. <p>Additionally, systems running these products often have trust relationships with other network devices. An intruder who compromises these systems may be able to leverage this trust to compromise other devices on the network or to make changes to the network configuration. </P> <A NAME="solution"> <H2>III. Solution</H2> <H4>Apply a patch</H4> <P> Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. </P> <A NAME="vendors"> <H2>Appendix A. - Vendor Information</H2> <P>This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.</P> <!-- end vendor --> <A NAME="apple"> <H4>Apple</H4> <p> Mac OS X and Mac OS X Server do not have this vulnerability. </p> <!-- end vendor --> <A NAME="ca"> <H4>Computer Associates</H4> <p> Computer Associates has completed a review of all Unicenter functions and processing related to SNMP traps as indicated by the advisory. Unicenter is not subject to the same vulnerabilities as demonstrated by the SNMP trap managers identified by CERT (i.e., OpenView and NetView). CA Unicenter does not formulate commands determined through trap data parsing. Unicenter implements this technology using different methods and thereby avoids this exposure. Computer Associates maintains strong relationships with these vendors and recommends that clients running any environments containing either of these products visit the website URLs specifically identified by the CERT Coordination Center. </p> <!-- end vendor --> <A NAME="freebsd"> <H4>FreeBSD</H4> <p> FreeBSD does not use this code. </p> <!-- end vendor --> <A NAME="fujitsu"> <H4>Fujitsu</H4> <p> Regarding VU#952171, Fujitsu's UXP/V operating system is not affected because there's no implementation of any OpenView Technology in UXP/V. </p> <!-- end vendor --> <A NAME="hp"> <H4>Hewlett-Packard</H4> <p>On June 21, 2001, HP released a security bulletin (HP SB #154) and a patch for this vulnerability in OpenView version 6.1. For more information, see <dl> <dd> <A href="http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000055277985">http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000055277985</a> </dd> <dd> <a href="http://www.kb.cert.org/vuls/id/952171"> http://www.kb.cert.org/vuls/id/952171</a> </dd> </dl> <!-- end vendor --> <A NAME="ms"> <H4>Microsoft</H4> <p> NNM is a third-party application as far as our platform is concerned. We don't have any special relationship with it. HP would need to provide the patches. </p> <!-- end vendor --> <A NAME="tivoli"> <H4>Tivoli</H4> <p>Tivoli acknowledges that certain user customizations to Tivoli NetView may lead to a potential security exposure. Please reference <a href="http://www.tivoli.com/support/">http://www.tivoli.com/support/</a> for further information and to obtain an e-fix which addresses the issue. </p> <!-- end vendor --> <h2>References</h2> <ol> <li><a href="http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000055277985">http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000055277985</a> <li><a href="http://www.tivoli.com/support/">http://www.tivoli.com/support/</a> <li><a href="http://www.securityfocus.com/bid/2845">http://www.securityfocus.com/bid/2845</a> <li><a href="http://www.kb.cert.org/vuls/id/952171">http://www.kb.cert.org/vuls/id/952171</a> </ol> <HR NOSHADE> <P>The CERT Coordination Center thanks Milo G. van der Zee for notifying us about this problem, and Tivoli and Hewlett-Packard for other information used in the construction of this advisory. </P> <HR NOSHADE> <P>Feedback on this document can be directed to the authors, <A HREF="mailto:cert@cert.org?subject=CA-2001-24%20Feedback%20VU%23952171">Jason A. Rafail and Shawn Hernan.</A> <P></P> <!--#include virtual="/include/footer_nocopyright.html" --> <P>Copyright 2001 Carnegie Mellon University.</P> <P>Revision History <PRE> August 15, 2001: Initial release </PRE> |