Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection against HP OpenView Network Node Manager Vulnerability

Subscribe

Check Point Reference: CPAI-2010-004
Date Published:
Preemptive Since:
Severity:
Last Updated:
Source: Secunia Advisory: SA37665
Industry Reference(s): CVE-2009-4181
Protection Provided by: Security Gateway
  • R70
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
HP OpenView Network Node Manager (OV NNM) 7.01
HP OpenView Network Node Manager (OV NNM) 7.51
HP OpenView Network Node Manager (OV NNM) 7.53
Vulnerability Description
A buffer overflow vulnerability has been reported in HP OpenView Network Node Manager (NNM) program ovwebsnmpsrv.exe. The NNM is an HP OpenView product which manages networks. It determines and displays physical and logical connectivity in networks, as well as information referring to protocols running over the network. A remote attacker could exploit this vulnerability to inject and execute arbitrary code on a target server.
Update/Patch Available
Apply patches:
HP Support Document ID: c01950877
Vulnerability Details
The vulnerability is due to a boundary error in ovwebsnmpsrv.exe when handling HTTP requests sent to the jovgraph.exe CGI application. To trigger this issue, a remote attacker can send a specially crafted HTTP request to the target server. Successful exploitation may allow the attacker to inject and execute arbitrary code on the target system, or cause the affected process to terminate abnormally.

Protection Overview
This protection will detect and block overly long HTTP requests. No update is required to address this vulnerability.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By ProtocolWeb Intelligence > HTTP Protocol Inspection. 
2. In the right pane, double-click the HTTP Format Sizes protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Select the Max request body length checkbox and configure it to 1024.
5. You can apply the protection to all HTTP traffic or to selected web servers.
6. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: Request body length exceeded allowed maximum bytes length

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?

1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Web Intelligence > WWW 2, and select the CGI Attacks protection group.
3. Click HP OpenView Network Node Manager jovgraph Buffer Overflow (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?

Upon attack, the following entries will be logged:

Alert Name: WWW/CGI Attacks Protection Group
Description: HP OpenView Network Node Manager jovgraph Buffer Overflow