Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection against HP OpenView Node Manager Remote Code Execution Vulnerability

Subscribe

Check Point Reference: CPAI-2008-129
Date Published:
Severity:
Last Updated:
Source: Mati Aharoni - Offensive Security
Industry Reference(s): CVE-2008-1697
Protection Provided by: VPN-1
  • NGX R65
  • NGX R62
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55
VSX
  • NGX
  • NGX R65
InterSpect
  • NGX
Who is Vulnerable?
HP OpenView Network Node Manager version 7.51
HP OpenView Network Node Manager version 7.53
Vulnerability Description
HP OpenView Network Node Manager (NNM) is a software application designed for management, maintenance and monitoring of networks and network devices. The application fails to properly check crafted HTTP requests. By sending a specially-crafted overly long HTTP GET request, a remote unauthenticated attacker could overflow a buffer and execute arbitrary code on the target system or cause the application to crash.
Update/Patch Available
Refer to:
HP Network Node Manager (NNM) Advanced Edition software
Vulnerability Details
The vulnerability is due to an error in the way HP OpenView NNM's OVAS.exe service perfoms bounds checking. An attacker can exploit this issue by crafting an overly long HTTP GET request and sending it to the target host. Successful exploitation of this vulnerability may result in either code execution or system crash.

Protection Overview
By enabling this protection, SmartDefense will detect and block HTTP requests with overly long HTTP headers. No update is required to address this vulnerability.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Protocol Inspection > HTTP Format Sizes.
2. In the configuration pane, under Settings > Mode, check Active.
3. Under Format Sizes Configuration, check the Max Header Value Length box.

Add a new service:
1. In the SmartDashboard menu, click Manage > Services. The Services window opens.
2. Click on New > TCP. The TCP Service Properties window opens.
3. Give the new service a name. Write the value 7510 in the Port textbox.
4. Click on Advanced. The Advanced TCP Service Properties window opens.
5. In the Protocol Type drop-down-menu select the protocol HTTP.
6. Click OK > OK > Close.
7. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the Web Intelligence tree, click HTTP Protocol Inspection > HTTP Format Sizes.
2. In the configuration pane, check the Max Header Value Length box.

Add a new service:
1. In the SmartDashboard menu, click Manage > Services. The Services window opens.
2. Click on New > TCP. The TCP Service Properties window opens.
3. Give the new service a name. Write the value 7510 in the Port textbox.
4. Click on Advanced. The Advanced TCP Service Properties window opens.
5. In the Protocol Type drop-down-menu select the protocol HTTP.
6. Click OK > OK > Close.
7. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request

VPN-1 NG with Application Intelligence R55

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > HTTP Protocol Inspection > Microsoft Internet Explorer Vulnerabilities > HTTP Format Sizes.
2. In the configuration pane, check the Max Header Value Length box.

Add a new service:
1. In the SmartDashboard menu, click Manage > Services. The Services window opens.
2. Click on New > TCP. The TCP Service Properties window opens.
3. Give the new service a name. Write the value 7510 in the Port textbox.
4. Click on Advanced. The Advanced TCP Service Properties window opens.
5. In the Protocol Type drop-down-menu select the protocol HTTP.
6. Click OK > OK > Close.
7. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request

VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Protocol Inspection > HTTP Format Sizes.
2. In the configuration pane, under Settings > Mode, check Active.
3. Under Format Sizes Configuration, check the Max Header Value Length box.

Add a new service:
1. In the SmartDashboard menu, click Manage > Services. The Services window opens.
2. Click on New > TCP. The TCP Service Properties window opens.
3. Give the new service a name. Write the value 7510 in the Port textbox.
4. Click on Advanced. The Advanced TCP Service Properties window opens.
5. In the Protocol Type drop-down-menu select the protocol HTTP.
6. Click OK > OK > Close.
7. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request

VPN-1 VSX NGX

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > HTTP Protocol Inspection > Microsoft Internet Explorer Vulnerabilities > HTTP Format Sizes.
2. In the configuration pane, check the Max Header Value Length box.

Add a new service:
1. In the SmartDashboard menu, click Manage > Services. The Services window opens.
2. Click on New > TCP. The TCP Service Properties window opens.
3. Give the new service a name. Write the value 7510 in the Port textbox.
4. Click on Advanced. The Advanced TCP Service Properties window opens.
5. In the Protocol Type drop-down-menu select the protocol HTTP.
6. Click OK > OK > Close.
7. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
2. In the Web Intelligence tree, click HTTP Protocol Inspection > HTTP Format Sizes.
3. In the configuration pane, under Format Sizes Configuration, check the Max Header Value Length box.

Add a new service:
1. In the SmartDashboard menu, click Manage > Services. The Services window opens.
2. Click on New > TCP. The TCP Service Properties window opens.
3. Give the new service a name. Write the value 7510 in the Port textbox.
4. Click on Advanced. The Advanced TCP Service Properties window opens.
5. In the Protocol Type drop-down-menu select the protocol HTTP.
6. Click OK > OK > Close.
7. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request