View Source

Original release date: August 15, 2001<BR>
Last revised: --<BR>
Source: CERT/CC<BR>

<P>A complete revision history can be found at the end of this file.

<A NAME="affected">
<H3>Systems Affected</H3>

<UL>

<LI>Systems running HP OpenView Network Node Manager (NNM) Version 6.1 on the following platforms:</LI>

<UL>
<LI>HP9000 Servers running HP-UX releases 10.20 and 11.00 (only)</LI>
<LI>Sun Microsystems Solaris releases 2.x</LI>
<LI>Microsoft Windows NT4.x / Windows 2000</LI>
</UL>

<LI>Systems running Tivoli NetView Versions 5.x and 6.x on the following platforms:</LI>
<UL>
<LI>IBM AIX 
<LI>Sun Microsystems Solaris
<LI>Compaq Tru64 Unix
<LI>Microsoft Windows NT4.x / Windows 2000</LI>
</UL>
<br>


</ul>

<A NAME="overview">
<H2>Overview</H2>

<P>

<i>ovactiond</i> is a component of <a
href="http://www.openview.hp.com/">OpenView</a> by Hewlett-Packard
Company (HP) and <a
href="http://www.tivoli.com/products/index/netview/">NetView</a> by
Tivoli, an IBM Company (Tivoli). These products are used to manage
large systems and networks. There is a serious vulnerability in
ovactiond that allows intruders to execute arbitrary commands with
elevated privileges. This may subsequently lead to an intruder gaining
administrative control of a vulnerable machine.

</P>

<A NAME="description">
<H2>I. Description</H2>

<P>

<i>ovactiond</i> is the SNMP trap and event handler for both OpenView
and NetView. There is a vulnerability in ovactiond that allows an
intruder to execute arbitrary commands by sending a malicious message
to the management server. These commands run with the privileges of
the ovactiond process, which varies according to the operating
system. </p>



<p>OpenView version 6.1 is vulnerable in the default
configuration. Versions prior to 6.1 are not vulnerable in the default
configuration, but there are public reports that versions prior to 6.1
may be vulnerable if users have made customizations to the trapd.conf
file.

<p>On June 21, 2001, HP released a security bulletin (HP SB #154) and
a patch for this vulnerability in OpenView version 6.1. For more
information, see

<dl>
<dd>
<A
href="http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000055277985">http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000055277985</a>
</dd>
<dd>
<a href="http://www.kb.cert.org/vuls/id/952171">
http://www.kb.cert.org/vuls/id/952171</a> 
</dd>
</dl>


<p> Tivoli NetView versions 5.x and 6.x are not vulnerable with the
default configuration. It is, however, likely that customized
configurations are vulnerable. This security vulnerability only exists if
an authorized user configures additional event actions and specifies
potentially destructive varbinds (those of type string or opaque). Tivoli
has developed a patch for versions 5.x and 6.x. The patch addresses the
vulnerability in ovactiond, as well as taking preventative measures on
other components specific to NetView. </P>

<p>Tivoli has published information on this vulnerability at 

<DL>
<DD><A HREF="http://www.tivoli.com/support/">http://www.tivoli.com/support/</a>
</dd>
</dl>

<A NAME="impact">
<H2>II. Impact</H2>

<P>An intruder can execute arbitrary commands with the privileges of the
ovactiond process. On UNIX systems, ovactiond typically runs as user
bin; on Windows systems it typically runs in the Local System security
context. On Windows NT systems, this allows an intruder to gain
administrative control of the underlying operating system. On UNIX
systems, an intruder may be able to leverage bin access to gain root
access.

<p>Additionally, systems running these products often have trust
relationships with other network devices. An intruder who compromises
these systems may be able to leverage this trust to compromise other
devices on the network or to make changes to the network configuration.
</P>

<A NAME="solution">
<H2>III. Solution</H2>

<H4>Apply a patch</H4>

<P> Appendix A contains information provided by vendors for this
advisory. We will update the appendix as we receive more
information. If you do not see your vendor's name, the CERT/CC did not
hear from that vendor. Please contact your vendor directly. </P>

<A NAME="vendors"> 
<H2>Appendix A. - Vendor Information</H2>

<P>This appendix contains information provided by vendors for this
advisory.  When vendors report new information to the CERT/CC, we
update this section and note the changes in our revision history.  If
a particular vendor is not listed below, we have not received their
comments.</P>

<!-- end vendor -->


<A NAME="apple">
<H4>Apple</H4>

<p> 
Mac OS X and Mac OS X Server do not have this vulnerability.
</p>
<!-- end vendor -->



<A NAME="ca">
<H4>Computer Associates</H4>
<p>
Computer Associates has completed a review of all Unicenter functions and processing related to SNMP traps as indicated by the advisory.  Unicenter is not subject to the
same vulnerabilities as demonstrated by the SNMP trap managers identified by CERT (i.e., OpenView and NetView).  CA Unicenter does not formulate commands determined through
trap data parsing.  Unicenter implements this technology using different methods and thereby avoids this exposure.  Computer Associates maintains strong relationships with
these vendors and recommends that clients running any environments containing either of these products visit the website URLs specifically identified by the CERT
Coordination Center.
</p>
<!-- end vendor -->


<A NAME="freebsd">
<H4>FreeBSD</H4>

<p> 
FreeBSD does not use this code.
</p>
<!-- end vendor -->


<A NAME="fujitsu">
<H4>Fujitsu</H4>

<p> 
Regarding VU#952171, Fujitsu's UXP/V operating system is not affected 
because there's no implementation of any OpenView Technology in UXP/V.
</p>
<!-- end vendor -->


<A NAME="hp">
<H4>Hewlett-Packard</H4>


<p>On June 21, 2001, HP released a security bulletin (HP SB #154) and
a patch for this vulnerability in OpenView version 6.1. For more
information, see

<dl>
<dd>
<A
href="http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000055277985">http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000055277985</a>
</dd>
<dd>
<a href="http://www.kb.cert.org/vuls/id/952171">
http://www.kb.cert.org/vuls/id/952171</a> 
</dd>
</dl>


<!-- end vendor -->

<A NAME="ms">
<H4>Microsoft</H4>

<p> NNM is a third-party application as far as our platform is concerned.  
We don't have any special relationship with it.  HP would need to provide
the patches.
 </p>
<!-- end vendor -->


<A NAME="tivoli">
<H4>Tivoli</H4>

<p>Tivoli acknowledges that certain user customizations to Tivoli
NetView may lead to a potential security exposure.  Please reference 
<a href="http://www.tivoli.com/support/">http://www.tivoli.com/support/</a> for further information and to obtain
an e-fix which addresses the issue.
</p>
<!-- end vendor -->

<h2>References</h2>

<ol>
<li><a 
href="http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000055277985">http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000055277985</a>
<li><a 
href="http://www.tivoli.com/support/">http://www.tivoli.com/support/</a>
<li><a
href="http://www.securityfocus.com/bid/2845">http://www.securityfocus.com/bid/2845</a>
<li><a
href="http://www.kb.cert.org/vuls/id/952171">http://www.kb.cert.org/vuls/id/952171</a>
</ol>

<HR NOSHADE>

<P>The CERT Coordination Center thanks Milo G. van der Zee for
notifying us about this problem, and Tivoli and Hewlett-Packard for
other information used in the construction of this advisory. </P>

<HR NOSHADE>

<P>Feedback on this document can be directed to the authors, <A
HREF="mailto:cert@cert.org?subject=CA-2001-24%20Feedback%20VU%23952171">Jason
A. Rafail and Shawn Hernan.</A>

<P></P>

<!--#include virtual="/include/footer_nocopyright.html" -->

<P>Copyright 2001 Carnegie Mellon University.</P>

<P>Revision History
<PRE>
August 15, 2001:  Initial release
</PRE>