[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OSF1 : snmp



                   Systems Affected

                         Systems running HP OpenView Network Node Manager (NNM) Version 6.1 on the following platforms: 
                              HP9000 Servers running HP-UX releases 10.20 and 11.00 (only) 
                              Sun Microsystems Solaris releases 2.x 
                              Microsoft Windows NT4.x / Windows 2000 
                         Systems running Tivoli NetView Versions 5.x and 6.x on the following platforms: 
                              IBM AIX 
                              Sun Microsystems Solaris 
                              Compaq Tru64 Unix 
                              Microsoft Windows NT4.x / Windows 2000 

                   Overview

                   ovactiond is a component of OpenView by Hewlett-Packard Company (HP) and NetView by Tivoli, an IBM Company (Tivoli). These
                   products are used to manage large systems and networks. There is a serious vulnerability in ovactiond that allows intruders to execute
                   arbitrary commands with elevated privileges. This may subsequently lead to an intruder gaining administrative control of a vulnerable
                   machine. 

                   I. Description

                   ovactiond is the SNMP trap and event handler for both OpenView and NetView. There is a vulnerability in ovactiond that allows an
                   intruder to execute arbitrary commands by sending a malicious message to the management server. These commands run with the
                   privileges of the ovactiond process, which varies according to the operating system. 

                   OpenView version 6.1 is vulnerable in the default configuration. Versions prior to 6.1 are not vulnerable in the default configuration, but
                   there are public reports that versions prior to 6.1 may be vulnerable if users have made customizations to the trapd.conf file. 

                   On June 21, 2001, HP released a security bulletin (HP SB #154) and a patch for this vulnerability in OpenView version 6.1. For more
                   information, see 

                         http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000055277985 
                         http://www.kb.cert.org/vuls/id/952171 

                   Tivoli NetView versions 5.x and 6.x are not vulnerable with the default configuration. It is, however, likely that customized configurations
                   are vulnerable. This security vulnerability only exists if an authorized user configures additional event actions and specifies potentially
                   destructive varbinds (those of type string or opaque). Tivoli has developed a patch for versions 5.x and 6.x. The patch addresses the
                   vulnerability in ovactiond, as well as taking preventative measures on other components specific to NetView. 

                   Tivoli has published information on this vulnerability at 

                         http://www.tivoli.com/support/ 

                   II. Impact

                   An intruder can execute arbitrary commands with the privileges of the ovactiond process. On UNIX systems, ovactiond typically runs as
                   user bin; on Windows systems it typically runs in the Local System security context. On Windows NT systems, this allows an intruder to
                   gain administrative control of the underlying operating system. On UNIX systems, an intruder may be able to leverage bin access to gain
                   root access. 

                   Additionally, systems running these products often have trust relationships with other network devices. An intruder who compromises
                   these systems may be able to leverage this trust to compromise other devices on the network or to make changes to the network
                   configuration.