COMMAND
Compaq Insight Manager
SYSTEMS AFFECTED
Compaq Insight Manager
PROBLEM
Compaq Insight Manager has a serious configuration issue which
allows the use of the software as a proxy server. No logging is
performed on either the OS or app., making this a perfect
anonymous proxy. Following is based on a Compaq Advisory SSRT0715
issued on 22-MAR-2001.
Compaq web-enabled management software can act as a generic proxy
server. Internal traffic going out to the Internet can bypass
normal proxy server filtering using the Compaq web-enabled
management software at TCP port 2301 on the proxy server system.
In addition external traffic may be able to infiltrate internal
networks by using the Compaq web-enabled management software at
port 2301 on a server exposed to the internet as a proxy if there
is no additional firewall protection.
The severity of this problem is high for systems that are
connected to multiple networks, particularly if one network is
secure (an intranet) while the other is insecure (the internet).
The severity of this problem is low for systems that are only
connected to one network.
The web component of Compaq web-enabled management software
provides HTTP services to allow management information to be
accessible through a web browser. Web-enabled management software
is provided for the majority of the operating systems that Compaq
supports on its Intel-based and Alpha-based server and client
systems.
These operating systems include Microsoft Windows 9x, NT and 2000,
NetWare,SCO Open Server 5, SCO UnixWare 7, RedHat 6.2 and 7.0,
Tru64Unix and OpenVMS. Web-enabled management software is also
supported for Compaq storage products.
This Security Advisory applies to all web-enabled Compaq
management software. A list of affected software versions is
included at the end of this Advisory.
The web-enabled component of the Remote Insight Lights-Out Edition
board is NOT affected. Also unaffected are the downloadable
integration modules that Compaq provides to enhance the management
of Compaq platforms from within enterprise management consoles
such as CA Unicenter TNG, Tivoli Enterprise, Tivoli NetView and
HP OpenView.
SOLUTION
Compaq strongly recommend that web-enabled agents and utilities
are deployed only in private networks and are not used on the
open Internet or on systems outside the bounds of the firewall.
The implementation of sound security practices, which includes
disabling access to non-essential ports, such as the Compaq
Management ports :2301 and :280, should help to protect customers
from external malicious attacks. Compaq also recommends that
strong passwords are used and are changed regularly.
Compaq is currently completing the testing and release of fixes
for the affected software. Compaq Management CD Version 5.0
includes an update that fixes the generic proxy server issue in
some Compaq web-enabled management software. In addition to
releasing new versions of the software, Compaq will also release
software patches to update the web-enabled component of the
affected software for customers who do not want to upgrade their
systems to the latest version. Two patches are available for
download now from:
ftp://ftp.compaq.com/pub/softpaq/sp16001-16500/
Softpaq 16318 fixes the problem for affected versions of Compaq
Foundation Agents for Windows Servers, Compaq Survey for Windows,
Compaq Power Manager, Compaq Availability Agents and Compaq
Intelligent Cluster Administrator. This patch also fixes the
problem for the SNMP and DMI agents installed with Compaq Insight
Manager XE Version 2.0 and 2.1.
Softpaq 16317 fixes the problem for affected versions of the
Compaq Foundation Agents for NetWare servers. New versions of
the following software will be made available. These two patches
replace/supersede Softpaq 14487 and Softpaq 14488 noted in the
previous security advisory SSRT0705 (Jan 2001).
For Tru64 UNIX a new version of the Agents, V2.2, packaged in the
form of a setld tar kit, is available from the Compaq Management
CD Version 5.0, or can be downloaded from the following FTP
support site: http://ftp.support.compaq.com/public/unix/ On the
Tru64 UNIX FTP support site, the kit "MUPssrt0715u_cpqim.tar"
along with its Readme file "MUPssrt0715_cpqim.Readme" can be found
under each of the impacted Unix directories which include: 4.0f,
4.0g, 5.0, 5.0a, and 5.1. The Readme file provides the
installation steps for the patch kit. MUPssrt0715 supersede
MUPssrt0705 for Tru64 UNIX.
For Open VMS a fix for this problem will be provided in Version
2.2 of the Management Agents for OpenVMS via our web site:
http://www.openvms.compaq.com/openvms/products/mgmt_agents
Version 2.2 of the Management agents should be available at this
web site in late March or early April.
Compaq Management Agents for Desktops and Workstations version
4.37, Rev G (SP16951) will be available on 3/23/2001.
LC Combined Client 1.50 Rev C (SP16622) (containing updated Client
agents, LCRMS, and Diagnostics) will be available before mid
April.
If you are unable to wait for the fix to become available, you can
disable the web component of the agents. For those cases where it
is not possible to disable only the web component, Compaq has
instructions for disabling the entire agent or utility.
Compaqs site recommends stopping the Insight Manager and web-agent
services in control-panel, this alone doesn't stop port 2301 from
showing your machine stats. You must also disable the surveyor
service, this takes down the page and stops polling the machine.