An engineer from CoreLabs, the research arm of Core Security, determined that a trio of vulnerabilities in HP OpenView Network Node Manager (NNM) can be exploited remotely via buffer overflow to compromise mission-critical servers within an organization using the software. Upon making the discovery, CoreLabs immediately alerted HP's Software Security Response Team to the vulnerabilities and the two companies have since coordinated efforts to ensure that a patch could be created and made available to protect users of the program.
CoreLabs experts uncovered the trio of reported vulnerabilities in HP OpenView NNM, which offers remote network system event and performance monitoring, while investigating other previously reported flaws in the software, and an HP-issued security patch meant to address those issues.
HP OpenView NNM is one of the most widely-deployed remote network management technologies used throughout enterprise organizations today, allowing network managers to monitor their physical networks, virtual network services and the relationships between those assets. The software aims to help administrators identify, diagnose and predict potential problems before they affect network performance and availability.
"While remote network management technologies offer substantial value in terms of allowing organizations to maintain constant vigilance and control over their networks, the flipside is that attackers can potentially use available vulnerabilities in these systems to wreak havoc on internal infrastructure," said Ivan Arce, chief technology officer at Core Security. "It is vitally important for remote systems management solution providers to minimize these easily exploitable security flaws that can allow for remote system compromise."
Successful exploitation of the vulnerabilities requires that attackers send specially crafted HTTP requests to HP OpenView's web server component to execute arbitrary code on the target system.
HP has issued a security update that addresses the vulnerable OpenView NNM 7.51 and 7.53 versions of the solution.
Vulnerability Details While investigating the feasibility of exploiting a set of vulnerabilities previously disclosed in HP OpenView NNM by researchers at Secunia (CVE-2008-4559 , CVE-2008-4560 , CVE-2008-4561 , CVE-2008-4562 , CVE-2009-0205) and addressed by HP in a subsequent security advisory (c01661610), CoreLabs researchers discovered two additional, unreported buffer overflow vulnerabilities in the product.
Researchers also found during their reviews that one of the previously reported buffer overflow issues in OpenView NNM could still be exploited, even when the vendor-provided security patch designed to fix the problem was applied.
CoreLabs specifically found that OpenView NNM versions 7.51 and 7.53, and version 7.53 with the aforementioned HP security patch (NNM_01195) applied, all harbored the three reported vulnerabilities. CoreLabs concluded that the two heap-based buffer overflows reported were newly discovered vulnerabilities because the issues were not fixed with the latest security patch and were not mentioned in any existing advisories published by HP.
In the case of the third OpenView NNM vulnerability, which was first reported by Secunia and was addressed by HP in its advisory, CoreLabs researchers found that they were still able to successfully exploit the issue and create proof of concept code for doing so, even with the latest patch in place.
When first researching all the reported OpenView NNM buffer overflow vulnerabilities, CoreLabs experts found it difficult to differentiate whether the flaws they were investigating were indeed the same issues that HP had recently addressed in its security advisories. After researching the issue further and examining the technical underpinnings of the HP advisory, it became evident to CoreLabs that two of the problems were new, while one of the vulnerabilities may have been previously identified.
The complexity of this process highlights a challenge that faces the entire vulnerability research and IT security industry in terms of working with technology vendors in reporting and responding to vulnerability data.
"A general lack of sufficient technical information made available by both software and vulnerability research vendors about the specifics of vulnerabilities in their security advisories makes it such that many bulletins and publications only generate additional confusion among researchers who are attempting to dig deeper into the reported problems in order to assess risk more precisely; in this case it was difficult to discern which vulnerabilities had already been reported and remained unfixed, versus which were new," said Arce. "This has become a consistent, systematic problem that makes it very hard for subsequent researchers to differentiate one bug from another using data from publicly available security advisories."
The newly reported vulnerabilities, along with the ability to exploit the previously disclosed flaw, were first uncovered by Oren Isacson, a CoreLabs researcher and software engineer with the CORE IMPACT Exploit Writers Team. For more information on this vulnerability, please view the CORE-2009-0122 Security Advisory at http://www.coresecurity.com/content/openview-buffer-overflows.
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. It conducts its research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Its results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs.
About Core Security Technologies
Core Security Technologies is the leader in comprehensive security testing software solutions that IT executives rely on to expose vulnerabilities, measure operational risk and assure security effectiveness. The company's CORE IMPACT product family offers a comprehensive approach to assessing the security of network systems, endpoint systems, email users and web applications against complex threats. All CORE IMPACT security testing solutions are backed by trusted vulnerability research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at: http://www.coresecurity.com.
Tim Whitman or Justin Drake Schwartz Communications