Hewlett Packard OpenView and Tivoli NetView do not adequately validate SNMP trap arguments

2001-06-21T00:00:00
ID VU:952171
Type cert
Reporter CERT
Modified 2001-09-06T00:00:00

Description

Overview

Hewlett Packard's (HP) OpenView and Tivoli NetView are system management software packages. There is a vulnerability a component of these packages, ovactiond, that allows intruders to execute arbitrary commands as user bin. This may subsequently lead to a root compromise.

Description

HP OpenView and Tivoli NetView are set of tools to manage large networks. Part of OpenView and NetView is a daemon called ovactiond, which is the SNMP trap and event handler. It is possible for an intruder to execute arbitrary commands by sending a malicious message to a vulnerable version of ovactiond. These commands run with the privileges of the ovactiond process, typically bin on Unix systems, and SYSTEM on Windows NT/2000. Often it is possible to use this access to gain root access on Unix systems. An exploit is publicly available. Note that Tivoli NetView is not vulnerable via the default configuration, however, it is likely that customized configurations are vulnerable HP is vulnerable by the default configuration.

For more information, see HP Security Bulletin HPSBUX0106-154 and <http://www.tivoli.com/support/>.

It has been confirmed with HP that the patch referenced on Security Focus for OpenView Version 5.01 is only for Version 6.1.


Impact

An intruder can execute arbitrary commands with the privileges of the ovactiond process, typically bin on Unix systems, and SYSTEM on Window NT/2000 systems.


Solution

Apply patches from your vendor as appropriate. HP has released HP Security Bulletin HPSBUX0106-154. Tivoli has information posted on <http://www.tivoli.com/support/>.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Compaq Computer Corporation| | 21 Jun 2001| 15 Aug 2001
Hewlett Packard| | 15 Jun 2001| 24 Aug 2001
IBM| | 21 Jun 2001| 15 Aug 2001
Microsoft| | 15 Jun 2001| 15 Aug 2001
Sun| | 15 Jun 2001| 15 Aug 2001
Tivoli| | 27 Jun 2001| 15 Aug 2001
Apple| | 21 Jun 2001| 15 Aug 2001
Computer Associates| | 07 Aug 2001| 15 Aug 2001
FreeBSD| | 21 Jun 2001| 15 Aug 2001
Fujitsu| | 21 Jun 2001| 15 Aug 2001
BSDI| | 21 Jun 2001| 15 Aug 2001
Caldera| | 21 Jun 2001| 15 Aug 2001
Debian| | 21 Jun 2001| 15 Aug 2001
Dg| | 21 Jun 2001| 15 Aug 2001
NEC| | 21 Jun 2001| 15 Aug 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000055277985>
  • <http://www.tivoli.com/support/>
  • <http://www.securityfocus.com/bid/2845>

Credit

Our thanks to Milo G. van der Zee, who reported this problem to us and to Hewlett-Packard for the information contained in their advisory.

This document was written by Jason Rafail.

Other Information

  • CVE IDs: CAN-2001-0552
  • CERT Advisory: CA-2001-24
  • Date Public: 08 Jun 2001
  • Date First Published: 21 Jun 2001
  • Date Last Updated: 06 Sep 2001
  • Severity Metric: 44.89
  • Document Revision: 18