HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2009-14
HP OpenView Network Node Manager Multiple Vulnerabilities

Original Issue Date:January 21, 2009

Severity Rating: High

Systems Affected

  • HP OpenView Network Node Manager (NNM) versions 7.x

Overview

Multiple vulnerabilities have been reported in HP OpenView Network Node Manager, which can be exploited by a remote attacker to execute arbitrary code with the privileges of the user running the affected application.

Description

 Hewlett Packard OpenView Network Node Manager (NNM) is a product which manages networks. It uses SNMP to talk to network devices, allowing them to be discovered automatically, monitored and controlled. NNM determines and displays physical and logical connectivity in networks, as well as information pertaining to protocols running over the network. It also allows historical data to be collected and viewed/graphed.

Multiple vulnerabilities have been reported in HP OpenView Network Node Manager which is caused due to stack-based buffer overflows in CGI applications “OpenView5.exe”, “ov.dll”, “getcvdata.exe”, “ovlaunch.exe”, “Toolbar.exe”; while processing overly long parameter strings via a specially crafted HTTP request.

Successful exploitation of any of these vulnerabilities could allow remote attackers to execute arbitrary code with the privileges of the target service.

It should be noted that the failed exploit attempts may crash the application.

Workaround

  • Restrict access to all affected CGI applications

Solution

Apply appropriate patches as suggested by vendor at:
http://support.openview.hp.com/selfsolve/patches

Vendor Information

Hewlett-Packard
http://www.openview.hp.com/products/nnm

References

 Hewlett-Packard
http://www.openview.hp.com/products/nnm

SecurityFocus
http://www.securityfocus.com/bid/33147
http://www.securityfocus.com/archive/1/500203

Secunia
http://secunia.com/advisories/28074/

SecurityTracker
http://securitytracker.com/alerts/2009/Jan/1021521.html

ISS X-Force
http://xforce.iss.net/xforce/xfdb/47801
http://xforce.iss.net/xforce/xfdb/47802

CVE Name
CVE-2008-0067

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003