The installed version of HP Network Node Manager is affected by the following vulnerabilities :
A remote code execution vulnerability exists because the ‘nnmRptConfig.exe’ CGI application does not adequately validate user-supplied input. (CVE-2011-3165)
A remote code execution vulnerability exists within ov.dll. Insufficient boundary checking before supplying the value to a format string within _OVBuildPath can cause a stack overflow, leading to memory corruption, which could allow an attacker to execute arbitrary code within the context of the target service. (CVE-2011-3166)
A remote code execution vulnerability exists within the webappmon.exe CGI program. The vulnerability is due an insufficient boundary check before supplying a format string with the values. This causes a stack overflow, which can lead to memory corruption that can be exploited to execute arbitrary code within the context of the target service. (CVE-2011-3167)
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(58516);
script_version("1.12");
script_cvs_date("Date: 2018/11/15 20:50:22");
script_cve_id("CVE-2011-3165", "CVE-2011-3166", "CVE-2011-3167");
script_bugtraq_id(50471, 51049);
script_name(english:"HP OpenView Network Node Manager Multiple Code Execution Vulnerabilities (HPSBMU02712 SSRT100649)");
script_summary(english:"Checks NNM version & patch level");
script_set_attribute(attribute:"synopsis", value:
"The version of HP Network Node Manager running on the remote host is
affected by multiple code execution vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The installed version of HP Network Node Manager is affected by the
following vulnerabilities :
- A remote code execution vulnerability exists because
the 'nnmRptConfig.exe' CGI application does not
adequately validate user-supplied input. (CVE-2011-3165)
- A remote code execution vulnerability exists within
ov.dll. Insufficient boundary checking before supplying
the value to a format string within _OVBuildPath can
cause a stack overflow, leading to memory corruption,
which could allow an attacker to execute arbitrary code
within the context of the target service. (CVE-2011-3166)
- A remote code execution vulnerability exists within the
webappmon.exe CGI program. The vulnerability is due an
insufficient boundary check before supplying a format
string with the values. This causes a stack overflow,
which can lead to memory corruption that can be
exploited to execute arbitrary code within the context
of the target service. (CVE-2011-3167)");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-11-348/");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-12-002/");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-12-003/");
# https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03054052-1
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?02dda619");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/520349");
script_set_attribute(attribute:"solution", value:"Upgrade to B.07.53 Patchlevel NNM_01213 or its equivalent.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2011/11/01");
script_set_attribute(attribute:"patch_publication_date", value:"2011/11/01");
script_set_attribute(attribute:"plugin_publication_date", value:"2012/03/28");
script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:openview_network_node_manager");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:openview_network_node_manager");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");
script_family(english:"Gain a shell remotely");
script_dependencies('hp_nnm_detect.nbin');
script_require_keys('hp/hp_nnm');
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
# Get the port number
port = get_http_port(default:7510);
# Get the version number and patch info
version = get_kb_item_or_exit('hp/hp_nnm/'+port+'/version');
if (version !~ "^[A-Z]+\.[0-9]+\.[0-9]+$") exit(1, "The version of Network Node Manager listening on port "+port+" is not recognized ("+version+").");
version_split = split(version, sep:'.', keep:FALSE);
patchlevel = get_kb_item('hp/hp_nnm/'+port+'/patchlevel');
# Versions before B.07.53 are vulnerable, as are B.07.53 before NMM_01213
if (
version_split[0] == 'B' &&
int(version_split[1]) == 7 &&
(
int(version_split[2]) < 53 ||
(int(version_split[2]) == 53 && (isnull(patchlevel) || patchlevel < 'NNM_01213'))
)
)
{
if (report_verbosity > 0)
{
report = '\n Installed version : ' + version;
if (!isnull(patchlevel)) report += ' ' + patchlevel + ' (or equivalent)';
report += '\n Fixed version : B.07.53 Windows => NNM_01213' +
'\n Solaris => PSOV_03535' +
'\n Linux RedHatAS2.1 => LXOV_00121' +
'\n Linux RedHat4AS-x86_64 => LXOV_00122' +
'\n HP-UX (IA) => PHSS_42233' +
'\n HP-UX (PA) => PHSS_42232' +
'\n';
security_hole(port:port, extra:report);
}
else security_hole(port);
exit(0);
}
else
{
errmsg = "The Network Node Manager " + version + " ";
if (!isnull(patchlevel)) errmsg += patchlevel + " (or equivalent) ";
errmsg += " install listening on port "+port+" is not affected.";
exit(0, errmsg);
}
Vendor | Product | Version | CPE |
---|---|---|---|
hp | openview_network_node_manager | cpe:/a:hp:openview_network_node_manager |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3165
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3166
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3167
www.nessus.org/u?02dda619
www.securityfocus.com/archive/1/520349
www.zerodayinitiative.com/advisories/ZDI-11-348/
www.zerodayinitiative.com/advisories/ZDI-12-002/
www.zerodayinitiative.com/advisories/ZDI-12-003/