CERT Warns of OpenView, Tivoli Vulnerability
Microsoft Corp. isn’t the only vendor that’s had to scramble lately to patch security vulnerabilities in its software. Last week, the CERT Coordination Center
alerted administrators to a severe vulnerability that affects two flagship network management platforms from Hewlett-Packard Co. and IBM Corp. subsidiary Tivoli Systems.
HP’s OpenView and Tivoli’s NetView are comprehensive network management suites that provide integrated discovery, mapping, monitoring, problem identification and remote administrative capabilities. Both suites incorporate broad support for the Simple Network Management Protocol (SNMP) and for a range of SNMP extensions.
According to CERT's advisory, attackers can exploit a vulnerability in an SNMP trap and event handler – dubbed ovactiond – supported by both OpenView and NetView to execute arbitrary commands on a compromised machine.
CERT says that the privilege level at which these commands execute can vary according to the underlying operating system. On Unix systems, commands that execute as a result of this vulnerability are limited to the less serious user bin security context, although CERT claims that on some systems an attacker could leverage bin access to gain root privileges.
On Windows NT and Windows 2000 systems, CERT cautions, an attacker who exploits this vulnerability could execute commands in the all-powerful Local System security context. He or she could then wield complete control over a compromised system.
HP issued a security bulletin in late June in which it claimed that only OpenView version 6.1 is vulnerable by default. Previous versions of OpenView are not vulnerable in their default configurations, HP says. CERT cautions that it’s possible that IT organizations may have enabled functionality which renders the older versions vulnerable.
Tivoli published a similar bulletin, but claimed that NetView versions 5.x and 6.x are not vulnerable in their default configurations. Again, CERT warns, it’s possible that IT organizations may have made changes to their NetView configurations which render these systems vulnerable to attack.
Most network administrators say that the management servers for tools like OpenView or NetView are rarely, if ever, exposed to the Internet.
“At the very least, you want to put [OpenView or NetView management servers] behind a firewall, so really someone on the inside has to [perpetrate an attack],” confirms a Unix and Windows NT/2000 systems administrator with a large telecommunications company. “On the other hand, if you’ve got holes in any systems that you’re exposing to the Internet, someone could come in and exploit this to do a lot of damage.”
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.