[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OSF1 : snmp

To: jsaska@uci.edu
Subject: OSF1 : snmp
From: jsaska@uci.edu
Date: Tue, 13 Feb 2002 17:36 -0500

Systems Affected

Systems running HP OpenView Network Node Manager (NNM) Version 6.1 on the following platforms:
HP9000 Servers running HP-UX releases 10.20 and 11.00 (only)
Sun Microsystems Solaris releases 2.x
Microsoft Windows NT4.x / Windows 2000
Systems running Tivoli NetView Versions 5.x and 6.x on the following platforms:
IBM AIX
Sun Microsystems Solaris
Compaq Tru64 Unix
Microsoft Windows NT4.x / Windows 2000

Overview

ovactiond is a component of OpenView by Hewlett-Packard Company (HP) and NetView by Tivoli, an IBM Company (Tivoli). These
products are used to manage large systems and networks. There is a serious vulnerability in ovactiond that allows intruders to execute
arbitrary commands with elevated privileges. This may subsequently lead to an intruder gaining administrative control of a vulnerable
machine.

I. Description

ovactiond is the SNMP trap and event handler for both OpenView and NetView. There is a vulnerability in ovactiond that allows an
intruder to execute arbitrary commands by sending a malicious message to the management server. These commands run with the
privileges of the ovactiond process, which varies according to the operating system.

OpenView version 6.1 is vulnerable in the default configuration. Versions prior to 6.1 are not vulnerable in the default configuration, but
there are public reports that versions prior to 6.1 may be vulnerable if users have made customizations to the trapd.conf file.

On June 21, 2001, HP released a security bulletin (HP SB #154) and a patch for this vulnerability in OpenView version 6.1. For more
information, see

http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000055277985
http://www.kb.cert.org/vuls/id/952171

Tivoli NetView versions 5.x and 6.x are not vulnerable with the default configuration. It is, however, likely that customized configurations
are vulnerable. This security vulnerability only exists if an authorized user configures additional event actions and specifies potentially
destructive varbinds (those of type string or opaque). Tivoli has developed a patch for versions 5.x and 6.x. The patch addresses the
vulnerability in ovactiond, as well as taking preventative measures on other components specific to NetView.

Tivoli has published information on this vulnerability at

http://www.tivoli.com/support/

II. Impact

An intruder can execute arbitrary commands with the privileges of the ovactiond process. On UNIX systems, ovactiond typically runs as
user bin; on Windows systems it typically runs in the Local System security context. On Windows NT systems, this allows an intruder to
gain administrative control of the underlying operating system. On UNIX systems, an intruder may be able to leverage bin access to gain
root access.

Additionally, systems running these products often have trust relationships with other network devices. An intruder who compromises
these systems may be able to leverage this trust to compromise other devices on the network or to make changes to the network
configuration.

Prev by Date: Redhat : Updated ucd-snmp packages available
Next by Date: Redhat : [RHSA-2002:020-05] Updated ncurses4 compat packages are available]
Previous by thread: Redhat : Updated ucd-snmp packages available
Next by thread: Redhat : [RHSA-2002:020-05] Updated ncurses4 compat packages are available]
Index(es):
- Date
- Thread