Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-158: HP OpenView Network Node Manager SNMP and MIB Unspecified Remote Code Execution Vulnerability

[CVE-2009-1420]

June 10, 2009 15:00 GMT
PROBLEM: HP OpenView Network Node Manager (NNM) is prone to a remote code-execution vulnerability.
PLATFORM: HP OpenView Network Node Manager 7.53 HP OpenView Network Node Manager 7.51
ABSTRACT: HP has released a patch fixing an unspecified vulnerability in its OpenView Network Node Manager. There is a lack of publicly available information about the details, but NNM installations that were fully patched as of June 8, 2009 are vulnerable. Successful exploit coud lead to the execution of arbitrary code running with system level privileges.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-158.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/35267/info
CVE
http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1420
IMPACT ASSESSMENT: This risk is medium. Lack of available information makes it difficult to determine the difficulty of exploitation, or if exploit code already exists. However, the consequences of a compromise of an NMM system could be severe. 
[***** Start CVE-2009-1420 *****]
Discussion:
Security researchers have discovered at least three such vulnerabilities in the last few months. Two of these
vulnerabilities had already been the subject of patch releases, but recent testing has confirmed that fully patched systems
are still vulnerable.
Current publicly available information makes it impossible to determine if any or all of these vulnerabilities are the
subject of the current patch.

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01754877
Version: 1

HPSBMA02430 SSRT080094 rev.1 - HP OpenView Network Node Manager (OV NNM) Running SNMP and MIB, Remote Execution of Arbitrary
Code, Denial of Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2009-06-09
Last Updated: 2009-06-09

Potential Security Impact: Remote execution of arbitrary code, Denial of Service (DoS)

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential vulnerability has been identified with HP OpenView Network Node Manager (OV NNM) running SNMP and MIB. The
vulnerability could be exploited remotely to execute arbitrary code or to create a Denial of Service (DoS).

References: CVE-2009-1420

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP OpenView Network Node Manager (OV NNM) v7.51 and v7.53 on HP-UX, Solaris, Linux, and Windows 
running SNMP and MIB before revision 1.30.009

BACKGROUND

CVSS 2.0 Base Metrics 
===============================================
Reference Base Vector Base Score 
CVE-2009-1420 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===============================================

Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.

RESOLUTION

HP has made patches available to resolve the vulnerability.

The patches are available from http://support.openview.hp.com/selfsolve/patches

Note: The patches are not available from the HP IT Resource Center (ITRC).

OV NNM v7.53
============
Operating System
Resolved in Patch 

HP-UX (IA)
NNM753CPTIPF_00002 or subsequent

HP-UX (PA)
NNM753CPTHP_00002 or subsequent

Linux RedHatAS2.1 
NNM753CPTLIN24_00002 or subsequent

Linux RedHat4AS-x86_64
NNM753CPTLIN26_00002 or subsequent

Solaris
NNM753CPTSOL_00002 or subsequent

Windows
NNM753CPTWIN_00002 or subsequent

OV NNM v7.51
=========== 
Upgrade to NNM v7.53 and apply the NNM v7.53 resolution listed above. Patch bundles for upgrading from NNM v7.51 to NNM
v7.53 are available here: ftp://nnm_753:update (at) hprc.external.hp (dot) com [email concealed]/

MANUAL ACTIONS: Yes - Update 
HP-UX (IA) - install NNM753CPTIPF_00002 or subsequent 
HP-UX (PA) - install NNM753CPTHP_00002 or subsequent

PRODUCT SPECIFIC INFORMATION

HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It
analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can
also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa

The following text is for use by the HP-UX Software Assistant.

AFFECTED VERSIONS (for HP-UX)

For HP-UX OV NNM 7.51 and 7.53 
HP-UX B.11.31 
HP-UX B.11.23 (IA) 
HP-UX B.11.23 (PA) 
HP-UX B.11.11 
============= 
HPOvNNM.HPOVSNMP 
HPOvNNM.HPOVMIB 
action: install revision 1.30.000 or subsequent.

END AFFECTED VERSIONS (for HP-UX)
[***** End CVE-2009-1420 *****]
DOE-CIRC wishes to acknowledge the contributions of Hewlett-Packard Company and HP Software Security Response Team for the information contained in this bulletin.
DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788