CERT-SEI

Vulnerability in OpenView and NetView

Original release date: August 15, 2001
Last revised: --
Source: CERT/CC

A complete revision history can be found at the end of this file.

Systems Affected

  • Systems running HP OpenView Network Node Manager (NNM) Version 6.1 on the following platforms:
    • HP9000 Servers running HP-UX releases 10.20 and 11.00 (only)
    • Sun Microsystems Solaris releases 2.x
    • Microsoft Windows NT4.x / Windows 2000
  • Systems running Tivoli NetView Versions 5.x and 6.x on the following platforms:
    • IBM AIX
    • Sun Microsystems Solaris
    • Compaq Tru64 Unix
    • Microsoft Windows NT4.x / Windows 2000

Overview

ovactiond is a component of OpenView by Hewlett-Packard Company (HP) and NetView by Tivoli, an IBM Company (Tivoli). These products are used to manage large systems and networks. There is a serious vulnerability in ovactiond that allows intruders to execute arbitrary commands with elevated privileges. This may subsequently lead to an intruder gaining administrative control of a vulnerable machine.

I. Description

ovactiond is the SNMP trap and event handler for both OpenView and NetView. There is a vulnerability in ovactiond that allows an intruder to execute arbitrary commands by sending a malicious message to the management server. These commands run with the privileges of the ovactiond process, which varies according to the operating system.

OpenView version 6.1 is vulnerable in the default configuration. Versions prior to 6.1 are not vulnerable in the default configuration, but there are public reports that versions prior to 6.1 may be vulnerable if users have made customizations to the trapd.conf file.

On June 21, 2001, HP released a security bulletin (HP SB #154) and a patch for this vulnerability in OpenView version 6.1. For more information, see

http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000055277985
http://www.kb.cert.org/vuls/id/952171

Tivoli NetView versions 5.x and 6.x are not vulnerable with the default configuration. It is, however, likely that customized configurations are vulnerable. This security vulnerability only exists if an authorized user configures additional event actions and specifies potentially destructive varbinds (those of type string or opaque). Tivoli has developed a patch for versions 5.x and 6.x. The patch addresses the vulnerability in ovactiond, as well as taking preventative measures on other components specific to NetView.

Tivoli has published information on this vulnerability at

http://www.tivoli.com/support/

II. Impact

An intruder can execute arbitrary commands with the privileges of the ovactiond process. On UNIX systems, ovactiond typically runs as user bin; on Windows systems it typically runs in the Local System security context. On Windows NT systems, this allows an intruder to gain administrative control of the underlying operating system. On UNIX systems, an intruder may be able to leverage bin access to gain root access.

Additionally, systems running these products often have trust relationships with other network devices. An intruder who compromises these systems may be able to leverage this trust to compromise other devices on the network or to make changes to the network configuration.

III. Solution

Apply a patch

Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly.

Appendix A. - Vendor Information

This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.

Apple

Mac OS X and Mac OS X Server do not have this vulnerability.

Computer Associates

Computer Associates has completed a review of all Unicenter functions and processing related to SNMP traps as indicated by the advisory. Unicenter is not subject to the same vulnerabilities as demonstrated by the SNMP trap managers identified by CERT (i.e., OpenView and NetView). CA Unicenter does not formulate commands determined through trap data parsing. Unicenter implements this technology using different methods and thereby avoids this exposure. Computer Associates maintains strong relationships with these vendors and recommends that clients running any environments containing either of these products visit the website URLs specifically identified by the CERT Coordination Center.

FreeBSD

FreeBSD does not use this code.

Fujitsu

Regarding VU#952171, Fujitsu's UXP/V operating system is not affected because there's no implementation of any OpenView Technology in UXP/V.

Hewlett-Packard

On June 21, 2001, HP released a security bulletin (HP SB #154) and a patch for this vulnerability in OpenView version 6.1. For more information, see

http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000055277985
http://www.kb.cert.org/vuls/id/952171

Microsoft

NNM is a third-party application as far as our platform is concerned. We don't have any special relationship with it. HP would need to provide the patches.

Tivoli

Tivoli acknowledges that certain user customizations to Tivoli NetView may lead to a potential security exposure. Please reference http://www.tivoli.com/support/ for further information and to obtain an e-fix which addresses the issue.

References

  1. http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000055277985
  2. http://www.tivoli.com/support/
  3. http://www.securityfocus.com/bid/2845
  4. http://www.kb.cert.org/vuls/id/952171

The CERT Coordination Center thanks Milo G. van der Zee for notifying us about this problem, and Tivoli and Hewlett-Packard for other information used in the construction of this advisory.


Feedback on this document can be directed to the authors, Jason A. Rafail and Shawn Hernan.

Copyright 2001 Carnegie Mellon University.

Revision History

August 15, 2001:  Initial release