Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against a Command Execution Vulnerability in HP OpenView Node Manager

Subscribe

Check Point Reference: CPAI-2006-012
Date Published:
Severity:
Last Updated:
Source: FrSIRT/ADV-2005-1539
Industry Reference(s):

CVE-2005-2773
Protection Provided by: VPN-1
  • NGX R60
  • NG with Application Intelligence R55W
  • NG with Application Intelligence R55
  • NG with Application Intelligence R54
InterSpect
  • NGX
  • 2.0 and 1.x
Who is Vulnerable?
HP OpenView Network Node Manager version 6.2
HP OpenView Network Node Manager version 6.4
HP OpenView Network Node Manager version 7.01
HP OpenView Network Node Manager version 7.50
Vulnerability Description
HP OpenView Network Node Manager (NNM) is a software application designed for management, maintenance and monitoring of networks and network devices. A command execution vulnerability exists in HP OpenView Network Node Manager. An attacker can exploit the vulnerability by supplying a specially crafted URL to the target system.This will result in execution of arbitrary commands in the context of the currently running Web service.
Update/Patch Available
Apply patches:
http://support.openview.hp.com/patches/
Vulnerability Details
The vulnerability is due to improper validation of the "connectedNodes.ovpl" script that does not properly filter a specially crafted URI node parameter. This can be exploited by a remote attacker to execute arbitrary shell commands.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
The Update also includes the following protections:

  • Oracle XDB FTP Buffer Overflow (CPAI-2006-008)
  • Microsoft Windows Embedded Opentype Fonts (EOT) (CPAI-2006-010)
  • PHP ADOdb Test Scripts and PHP shell/web defacement tool (CPAI-2006-011)
  • Oracle XDB HTTP Buffer Overflow (CPAI-2006-013)
  • Apache Format String1 and string2 (CPAI-2006-014)

InterSpect NGX

How Can I Protect My Network?
Users of InterSpect NGX should update their systems: In the left pane from the frop-down list, select Profiles > SmartDefense Service and click the Online Update button.

To enable the protection:

1. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.  



2. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
3. In the Worm Patterns list, Enable HP OpenView Remote Command Execution.
3. Install policy on all modules.  

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: HP OpenView Remote Command Execution

VPN-1 NGX R60

How Can I Protect My Network?
Users of VPN-1 NGX R60 should update their SmartDefense by clicking Online Update in the SmartDashboard General window.

To enable the protection:

1. On the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
2. In the Worm Patterns list, Enable HP OpenView Remote Command Execution.
3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: HP OpenView Remote Command Execution.

VPN-1 NG with Application Intelligence R55W

How Can I Protect My Network?

Users of VPN-1 NG with Application Intelligence R55W should update their SmartDefense by clicking Online Update in the SmartDashboard General window.

To enable the protection:

1. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
2. In the Worm Patterns list, Enable HP OpenView Remote Command Execution.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: HP OpenView Remote Command Execution

VPN-1 NG with Application Intelligence R54 & R55

How Can I Protect My Network?

Users of VPN-1 NG with Application Intelligence R54 & R55 should update their SmartDefense by clicking Update Now in the SmartDashboard General window.

To activate the protection:

1. On the SmartDefense tree, click Application Intelligence > Web and enable General HTTP Worm Catcher.
2. In the Worm Patterns list, enable HP OpenView Node Manager Command Execution.
3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: HP OpenView Node Manager Command Execution

InterSpect 2.0 & 1.x

How Can I Protect My Network?

Users of InterSpect 2.0, 1.x should update their SmartDefense by clicking Online Update in the SmartDashboard General window.

To activate the protection:

1. On the SmartDefense tree, click Application Intelligence > Web and enable General HTTP Worm Defender.
2. In the Worm Patterns list, enable HP OpenView Node Manager Command Execution.
3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: HP OpenView Node Manager Command Execution