HP patches OpenView vulnerabilities

Hewlett-Packard Co. has issued a number of patches for a component in its OpenView software package. The company advises administrators to apply the patches immediately, given the severity of the vulnerabilities.

The HP OpenView Network Node Manager (OV NNM) has 12 buffer overflow vulnerabilities that an attacker could exploit to execute arbitrary code and even gain system control.

“The technical characteristics of these vulnerabilities (simple overflows with attacker controlled data) make them prime targets for exploitation,” said Aaron Portnoy, a researcher at the network security firm TippingPoint who found some of the vulnerabilities. TippingPoint is a division of 3Com. HP announced plans to acquire 3Com last month.

Only OV NNM versions 7.01, 7.51 and 7.53 that run on HP-UX, Linux, Solaris or Microsoft Windows are vulnerable. The company has issued a patch for version 7.53 of the software. Users of the older affected versions of the software are encouraged to upgrade to 7.53 and apply the patch.

TippingPoint disclosed to HP 11 of the 12 vulnerabilities. Portnoy, who works at TippingPoint’s DVLabs discovered 7 of these vulnerabilities and another 4 came from the company’s Zero Day Initiative program of associate researchers. IBM’s X-Force security research team found the remaining vulnerability.

Each of the vulnerabilities have been given a rating of 10 on the Common Vulnerability Scoring System scale, the most severe rating possible. All the vulnerabilities have been assigned Common Vulnerabilities and Exposures identifiers, and they are currently being reviewed by the CVE editorial board.

All the vulnerabilities TippingPoint found reside in different components of OV NMM that use the Common Gateway Interface (CGI), Portnoy explained. “An attacker can exploit any of these flaws to remotely execute arbitrary code on the affected system,” he said, by e-mail. This set of vulnerabilities, all of them of the buffer overflow variety, allow a malicious user to submit a long string of code to the executable. Such code could overwrite system memory not allocated to the program, and conceivably could include malicious commands that would be executed by the machine. Authentication is not needed to exploit these vulnerabilities.

“Most of the vulnerabilities we’re talking about here are due to the CGI not checking the length of some of these [inputs] and copying them into fixed-length buffers,” Portnoy explained. “By sending an HTTP request with a large enough string we can overflow the buffer and overwrite internal variables thus leading to remote code execution.”

The vulnerability discovered by X-Force is also a buffer overflow, one that allows a malicious user to send a HTTP message that could overfill the buffer. OV NNM “permits unauthenticated users to send arbitrary HTTP requests,” the IBM advisory stated.

The Network Node Manager, part of the HP’s OpenView suite of network management tools, facilitates the discovery of nodes on a network, as well as the mapping and monitoring of networks.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now