Hewlett-Packard Co. has issued a number of patches for a component in its OpenView software package. The company advises administrators to apply the patches immediately, given the severity of the vulnerabilities.
The HP OpenView Network Node Manager (OV NNM) has 12 buffer overflow vulnerabilities that an attacker could exploit to execute arbitrary code and even gain system control.
“The technical characteristics of these vulnerabilities (simple overflows with attacker controlled data) make them prime targets for exploitation,” said Aaron Portnoy, a researcher at the network security firm TippingPoint who found some of the vulnerabilities. TippingPoint is a division of 3Com. HP announced plans to acquire 3Com last month.
Only OV NNM versions 7.01, 7.51 and 7.53 that run on HP-UX, Linux, Solaris or Microsoft Windows are vulnerable. The company has issued a patch for version 7.53 of the software. Users of the older affected versions of the software are encouraged to upgrade to 7.53 and apply the patch.
TippingPoint disclosed to HP 11 of the 12 vulnerabilities. Portnoy, who works at TippingPoint’s DVLabs discovered 7 of these vulnerabilities and another 4 came from the company’s Zero Day Initiative program of associate researchers. IBM’s X-Force security research team found the remaining vulnerability.
Each of the vulnerabilities have been given a rating of 10 on the Common Vulnerability Scoring System scale, the most severe rating possible. All the vulnerabilities have been assigned Common Vulnerabilities and Exposures identifiers, and they are currently being reviewed by the CVE editorial board.
All the vulnerabilities TippingPoint found reside in different components of OV NMM that use the Common Gateway Interface (CGI), Portnoy explained. “An attacker can exploit any of these flaws to remotely execute arbitrary code on the affected system,” he said, by e-mail. This set of vulnerabilities, all of them of the buffer overflow variety, allow a malicious user to submit a long string of code to the executable. Such code could overwrite system memory not allocated to the program, and conceivably could include malicious commands that would be executed by the machine. Authentication is not needed to exploit these vulnerabilities.
“Most of the vulnerabilities we’re talking about here are due to the CGI not checking the length of some of these [inputs] and copying them into fixed-length buffers,” Portnoy explained. “By sending an HTTP request with a large enough string we can overflow the buffer and overwrite internal variables thus leading to remote code execution.”
The vulnerability discovered by X-Force is also a buffer overflow, one that allows a malicious user to send a HTTP message that could overfill the buffer. OV NNM “permits unauthenticated users to send arbitrary HTTP requests,” the IBM advisory stated.
The Network Node Manager, part of the HP’s OpenView suite of network management tools, facilitates the discovery of nodes on a network, as well as the mapping and monitoring of networks.
