A vulnerability in Hewlett-Packard's OpenView and Tivoli Systems' NetView can allow an attacker to gain privileges on servers and, in some circumstances, even take the server over, according to a security bulletin released earlier this week by government-funded network security group, Computer Emergency Response Team/Coordination Center (CERT/CC). Both HP and Tivoli have issued patches to fix the problem.
OpenView and NetView are network management tools used to administer large networks. The security hole is in the ovactiond component of both programs, a component that handles events for the server, CERT/CC said. By sending a request for service formed in a certain, malicious way to the server, an attacker can gain access to the system, though the level of access is determined by how the server is configured, CERT/CC said.
The attacker is only able to execute commands with the same level of access that is assigned to the ovactiond component, CERT/CC said. This means that an attacker would generally gain user access on Unix systems and control of the local operating system on Windows machines, the group said. Gaining access to a Unix system could lead to root level server access, CERT/CC said, noting that other devices connected to the affected servers could also potentially be compromised.
Though the flaw was originally discovered in June, and a patch released then, work has continued on the problem.
"What was not known at the time (of the patch) was the full scope of the problem," said Shawn Hernan, team leader for vulnerability handling at CERT/CC. Because there was no exploit for the vulnerability, the companies and CERT/CC were able to study the flaw, determine its full extent and release that information, he said.
OpenView Version 6.1 running on HP-UX 10.20 and 11.00, Sun Microsystems' Solaris 2.x and Microsoft's Windows NT 4.x and Windows 2000 is affected. NetView Versions 5.x and 6.x running on IBM's AIX, Solaris, Compaq Computer's Tru64 Unix and Windows NT 4.x and Windows 2000 are also vulnerable. Mitigating the risk a bit, Tivoli installations are not vulnerable in the default configuration. The HP systems, however, are vulnerable in their default installation.
The Code Red worm that consumed Internet resources and infected more than 300,000 computers in early August was able to spread far and wide due to un-patched vulnerabilties on Microsoft IIS (Internet Information Server) systems.