COMMAND

    webadmin (Compaq Management Agent)

SYSTEMS AFFECTED

    Compaq Webadmin (see below)

PROBLEM

    Andrew  Kunz  posted  following.   As  part  of an ongoing concern
    about security  and Internet  technology, Compaq  has identified a
    potential  security  hole  in  the  web-enabled  portion of Compaq
    Management Agents and the Compaq Survey Utility when installed  as
    an agent.  This security hole can allow read access to files whose
    location  and  filename  are  known  or  be  used to terminate the
    process  controlling  the  web  agents.   This  affects  the   web
    component of Compaq Management Agents version 4.0 and greater  and
    the Compaq Survey Utility  version 2.0 and greater  when installed
    as an agent.  SNMP  and DMI components without the  web capability
    enabled  are  not  affected.   While  there  are  no  reports   of
    customers being adversely  affected by this  vulnerability, Compaq
    is proactively releasing this bulletin to allow customers to  take
    appropriate action to protect themselves against it.

    The  web  component  of  Compaq  Management Agents version 4.0 and
    greater and  Compaq Survey  Utility 2.0  and greater  provide HTTP
    services to allow management information to be accessible  through
    a web browser.  Compaq has always advocated that these agents  and
    utilities be deployed  only in private  networks and were  not for
    use on the Internet or  systems outside the bounds of  a firewall.
    Because of  this, Compaq  believes that  the primary  threat is an
    internal one.  These agents have been discovered to be  vulnerable
    to a  file read  security hole  which allows  files whose location
    and name  are known  to be  read on  the file  system on which the
    agents  are  installed   and  an  overflow   security  hole   that
    potentially terminates the web agent process.  In some cases  with
    Novell NetWare it has caused the server to stop responding.

    This affects  the web  component of  all Compaq  Management Agents
    4.0  and  greater  running  with  Windows  NT, Windows 9x, Windows
    2000, NetWare and Tru64 Unix.  Additionally affected is the Compaq
    Survey  Utility  2.0  and  greater  when  installed as an agent on
    Windows NT  or NetWare.   Agent software  affected includes  those
    installed on  ProLiant and  Prosignia servers  (since May,  1998),
    AlphaServers with Windows  NT (since October,  1998), AlphaServers
    with Tru64 Unix  (since May, 1999),  DIGITAL Intel Servers  (since
    October,  1998),  Professional  Workstations  (since  May,  1998),
    Deskpro  and  Prosignia  desktops  (since  September,  1998),  and
    Armada  and  Prosignia  portables  (since  September,  1998).    A
    complete matrix can be found at the end of this document.   Compaq
    Management Agents for SCO Unix, UnixWare and OpenServer, IBM  OS/2
    and Compaq OpenVMS are not affected in any way.

SOLUTION

    Compaq is actively pursuing the testing and release of a  software
    fix  to  the  problem.  This  will  be initially released as a new
    version 4.23b of  the Server Management  Agents and a  new version
    2.18 of the Survey Utility.  The Client Management Agent which  is
    pre-installed at the  factory will become  version 4.3. A  SoftPAQ
    with the Client Management Agent 4.2C will be issued with the fix.