Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/23/2009
05:24 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Core Security Finds Vulnerability Trio In HP OpenView

Three vulnerabilities in HP OpenView Network Node Manager (NNM) can be exploited remotely via buffer overflow to compromise mission-critical servers within an organization using the software

BOSTON, MA " March 23, 2009 - Core Security Technologies, provider of CORE IMPACT solutions for comprehensive enterprise security testing, today issued an advisory disclosing multiple vulnerabilities that could affect millions of organizations using HP's OpenView systems and network management software.

An engineer from CoreLabs, the research arm of Core Security, determined that a trio of vulnerabilities in HP OpenView Network Node Manager (NNM) can be exploited remotely via buffer overflow to compromise mission-critical servers within an organization using the software. Upon making the discovery, CoreLabs immediately alerted HP's Software Security Response Team to the vulnerabilities and the two companies have since coordinated efforts to ensure that a patch could be created and made available to protect users of the program.

CoreLabs experts uncovered the trio of reported vulnerabilities in HP OpenView NNM, which offers remote network system event and performance monitoring, while investigating other previously reported flaws in the software, and an HP-issued security patch meant to address those issues.

HP OpenView NNM is one of the most widely-deployed remote network management technologies used throughout enterprise organizations today, allowing network managers to monitor their physical networks, virtual network services and the relationships between those assets. The software aims to help administrators identify, diagnose and predict potential problems before they affect network performance and availability.

"While remote network management technologies offer substantial value in terms of allowing organizations to maintain constant vigilance and control over their networks, the flipside is that attackers can potentially use available vulnerabilities in these systems to wreak havoc on internal infrastructure," said Ivan Arce, chief technology officer at Core Security. "It is vitally important for remote systems management solution providers to minimize these easily exploitable security flaws that can allow for remote system compromise."

Successful exploitation of the vulnerabilities requires that attackers send specially crafted HTTP requests to HP OpenView's web server component to execute arbitrary code on the target system.

HP has issued a security update that addresses the vulnerable OpenView NNM 7.51 and 7.53 versions of the solution.

Vulnerability Details While investigating the feasibility of exploiting a set of vulnerabilities previously disclosed in HP OpenView NNM by researchers at Secunia (CVE-2008-4559 , CVE-2008-4560 , CVE-2008-4561 , CVE-2008-4562 , CVE-2009-0205) and addressed by HP in a subsequent security advisory (c01661610), CoreLabs researchers discovered two additional, unreported buffer overflow vulnerabilities in the product.

Researchers also found during their reviews that one of the previously reported buffer overflow issues in OpenView NNM could still be exploited, even when the vendor-provided security patch designed to fix the problem was applied.

CoreLabs specifically found that OpenView NNM versions 7.51 and 7.53, and version 7.53 with the aforementioned HP security patch (NNM_01195) applied, all harbored the three reported vulnerabilities. CoreLabs concluded that the two heap-based buffer overflows reported were newly discovered vulnerabilities because the issues were not fixed with the latest security patch and were not mentioned in any existing advisories published by HP.

In the case of the third OpenView NNM vulnerability, which was first reported by Secunia and was addressed by HP in its advisory, CoreLabs researchers found that they were still able to successfully exploit the issue and create proof of concept code for doing so, even with the latest patch in place.

When first researching all the reported OpenView NNM buffer overflow vulnerabilities, CoreLabs experts found it difficult to differentiate whether the flaws they were investigating were indeed the same issues that HP had recently addressed in its security advisories. After researching the issue further and examining the technical underpinnings of the HP advisory, it became evident to CoreLabs that two of the problems were new, while one of the vulnerabilities may have been previously identified.

The complexity of this process highlights a challenge that faces the entire vulnerability research and IT security industry in terms of working with technology vendors in reporting and responding to vulnerability data.

"A general lack of sufficient technical information made available by both software and vulnerability research vendors about the specifics of vulnerabilities in their security advisories makes it such that many bulletins and publications only generate additional confusion among researchers who are attempting to dig deeper into the reported problems in order to assess risk more precisely; in this case it was difficult to discern which vulnerabilities had already been reported and remained unfixed, versus which were new," said Arce. "This has become a consistent, systematic problem that makes it very hard for subsequent researchers to differentiate one bug from another using data from publicly available security advisories."

The newly reported vulnerabilities, along with the ability to exploit the previously disclosed flaw, were first uncovered by Oren Isacson, a CoreLabs researcher and software engineer with the CORE IMPACT Exploit Writers Team. For more information on this vulnerability, please view the CORE-2009-0122 Security Advisory at http://www.coresecurity.com/content/openview-buffer-overflows.

About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. It conducts its research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Its results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs.

About Core Security Technologies

Core Security Technologies is the leader in comprehensive security testing software solutions that IT executives rely on to expose vulnerabilities, measure operational risk and assure security effectiveness. The company's CORE IMPACT product family offers a comprehensive approach to assessing the security of network systems, endpoint systems, email users and web applications against complex threats. All CORE IMPACT security testing solutions are backed by trusted vulnerability research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at: http://www.coresecurity.com.

Contacts:

Tim Whitman or Justin Drake Schwartz Communications 781 684-0770 [email protected]

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...