SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   HPE Systems Insight Manager Vendors:   Compaq
Compaq Insight Manager XE Buffer Overflow Lets Remote Users Execute Arbitrary Code and Obtain System Level Privileges on the Server
SecurityTracker Alert ID:  1002655
SecurityTracker URL:  http://securitytracker.com/id/1002655
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 29 2001
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): All versions of Compaq Insight Manager XE
Description:   Compaq reported a vulnerability in their Insight Manager software. A remote user may be able to execute arbitrary code to obtain System level privileges on the server.

A vulnerability was discovered in the SNMP-to-DMI processing function that may allow a remote user to execute arbitrary code on the affected host and obtain root level privileges. Desktop Management Interface (DMI) and Simple Network Management Protocol (SNMP) are remote network management protocols.

The vulnerability is reportedly caused by a buffer overflow.

Impact:   A remote user can cause arbitrary code to be executed on the server with System level privileges, giving the remote user system level access on the server.
Solution:   Compaq has released Compaq Insight Manager v2.1c, a patch for v2.1b that addresses this issue and is available at:

ftp://ftp.compaq.com/pub/softpaq/

The vendor reports that SoftPaq SP 17982 contains updated DLLs to address this issue and must be applied to Compaq Insight Manager v2.1b.

Compaq also reports that upgraded software will be made available on the web through the system software download site:

http://www.compaq.com/support/files/server/

To upgrade, the vendor has provided the following instructions:

"Determine the version of Compaq Insight Manager XE that is running.

If running Compaq Insight Manager 2.1b, download SP17982 from Compaq's Web site and run SP17982.exe to apply the v2.1c update.

If running Compaq Insight Manager 2.0 or 2.1, the system must first be updated to version 2.1b. To update to Compaq Insight Manager 2.1b download SP16342 from Compaq's Web site and run SP16342.exe to update to v2.1b or obtain Compaq Insight Manager v2.1b from the Compaq Management CD v5.10 or later. After 2.1b is installed, download SP17982 from Compaq's Web site and run SP17982.exe to apply the 2.1c update.

If running Compaq Insight Manager version 1.x, the system must first be updated to version 2.1b before applying this patch.

This can be accomplished in 2 ways:

1.Obtain Compaq Management CD v5.10 or later and install Compaq Insight Manager XE v2.1b from the CD.

2.Download SP14413.exe from Compaq's Web site and run SP14413.exe to install Compaq Insight Manager v2.1.

Once this is installed, download SP16342 from Compaq's Web site and run SP16342.exe to update the system to v2.1b. Once this is installed, download SP17982 from Compaq's Web site and run SP17982.exe to apply the v2.1c update."

Refer to the vendor's advisory, contained in the Source Message and available at the Vendor URL, for more information.

Vendor URL:  www.compaq.com/products/servers/management/mgtsw-advisory.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  [Advisory] SSRT0766 Potential Buffer Overflow for Compaq Insight Manager XE (only)


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

    NO RESTRICTION FOR DISTRIBUTION
 PROVIDED THE ADVISORY REMAINS INTACT

TITLE: (SSRT0766) Potential Security Vulnerability
       Compaq Insight Manager XE Software

SOURCE: Software Security Response Team U.S.
        Compaq Computer Corporation
        *Reference SSRT0766*
        *    x-ref SSRT0758*

  Date: October 29, 2001

(c) Copyright 2001 Compaq Computer Corporation. All rights reserved.

PATCHES SUPERSEDED BY THIS ADVISORY: None


  "Compaq is broadly distributing this Security Advisory in order
  to bring to the attention of users of Compaq products the
  important security information contained in this Advisory.
  Compaq recommends that all users determine the applicability of
  this information to their individual situations and take
  appropriate action.
   
  Compaq does not warrant that this information is necessarily
  accurate or complete for all user situations and, consequently,
  Compaq will not be responsible for any damages resulting from
  user's use or disregard of the information provided in this
  Advisory."


Summary

Compaq Management Software products undergo rigorous quality
assurance processes to ensure that they meet the highest
possible standards for security, reliability and usability.
In line with this commitment, Compaq recently uncovered a
potential buffer overflow security vulnerability in its
SNMP and DMI support within Compaq Insight Manager XE.
This vulnerability has the potential to enable unauthorized
users to execute code at an administrator level through the
exploitation of a buffer overflow.  Compaq has addressed
this issue with version 2.1c of Compaq Insight Manager XE
and the recently announced Compaq Insight Manager 7.
Compaq strongly recommends that customers upgrade to
version 2.1c or Compaq Insight Manager 7.

Compaq strongly recommends that management agents and Compaq
Insight Manger XE be deployed only on private networks and not
used on the open Internet or on systems outside the bounds of
the firewall. The implementation of sound security practices,
which includes disabling external access to Compaq management
ports, should help protect customers from external malicious
attacks. Compaq also recommends that strong password standards
are used and that passwords are changed regularly.

NOTE: The complete online document is available from
http://www.compaq.com/products/servers/management/system-advisories.ht
ml


SCOPE OF THE PROBLEM

All versions of Compaq Insight Manager XE are affected.  This issue
does NOT affect Compaq Insight Manager windows console or any of the
Compaq Management Agents.

WHAT COMPAQ IS DOING

Compaq is currently completing the testing and release of Compaq
Insight Manager v2.1c.  Compaq Insight Manager v2.1c is a patch for
v2.1b that addresses this issue and is available for download from:
ftp://ftp.compaq.com/pub/softpaq/sp17501-18000/


SoftPaq SP 17982   The softpaq contains updated DLLs to address this
                   issue and must be applied to Compaq Insight
                   Manager v2.1b.


Compaq Insight Manager 7
The initial release of Compaq Insight Manager 7 will be available
from the Compaq Management CD v5.3 available in November 2001.


WHAT CUSTOMERS SHOULD DO

How do I obtain the updated Compaq Management Software?
Updated software will be made available on the web through the
system software download site=20
(http://www.compaq.com/support/files/server/)
and will also be proactively delivered directly to customers who have
installed Compaq ActiveUpdate. ). Compaq recommends registering for
the ActiveUpdate service, which is available at the following URL:
http://www.compaq.com/activeupdate.

Determine the version of Compaq Insight Manager XE that
is running.

If running Compaq Insight Manager 2.1b, download SP17982 from
Compaq's website and run SP17982.exe to apply the v2.1c update.

If running Compaq Insight Manager 2.0 or 2.1, the system
must first be updated to version 2.1b.  To update to Compaq
Insight Manager 2.1b download SP16342 from Compaq's website
and run SP16342.exe to update to v2.1b or obtain Compaq Insight
Manager v2.1b from the Compaq Management CD v5.10 or later.
After 2.1b is installed, download SP17982 from Compaq's website
and run SP17982.exe to apply the 2.1c update.

If running Compaq Insight Manager version 1.x, the system must
first be updated to version 2.1b before applying this patch.
This can be accomplished in 2 ways:

   Obtain Compaq Management CD v5.10 or later and
   install Compaq Insight Manager XE v2.1b from the CD.
 or
   Download SP14413.exe from Compaq's website and run
   SP14413.exe to install Compaq Insight Manager v2.1.
   Once this is installed, download SP16342 from Compaq's
   website and run SP16342.exe to update the system to v2.1b.
   Once this is installed, download SP17982 from Compaq's
   website and run SP17982.exe to apply the v2.1c update.


OBTAINING SUPPORT ON THIS ISSUE

The normal process for obtaining support on Compaq products is
pursued in the country of residence. . If you do not have an
established support process, you may find information about
support by visiting the Compaq web site for your country.
You can find that web site by picking your country from the
list at http://www.compaq.com/worldwide/. You may also find
a support number for your locale from the table at
http://www.compaq.com/corporate/overview/world_offices.html

Support can help you to:
1. Identify if you have an affected version.
2. Obtain the appropriate SoftPaq when it is available.
3. Apply and run the SoftPaq.

Compaq support personnel are aware of the issues and the fixes
and are well versed in Compaq systems management products.


  To subscribe to automatically receive future NEW Security
  Advisories from the Software Security Response Team at
  Compaq via electronic mail,

  Use your browser to get to the
  http://www.support.compaq.com/patches/mailing-list.shtml
  and sign up.   Select "Security and Individual Notices" for
  immediate dispatch notifications.

  To report a potential security vulnerability for Compaq
  products, send email to security-ssrt@compaq.com

  If you need further information, please contact your normal
  Compaq Services support channel.

  Compaq appreciates your cooperation and patience. As always,
  Compaq urges you to periodically review your system management
  and security procedures.  Compaq will continue to review and
  enhance the security features of its products and work
  with customers to maintain and improve the security and
  integrity of their systems.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBO93YPznTu2ckvbFuEQKEowCgs6aClwDW4JnljtCvNs3d8qb+wowAoPXF
xXarD2DEgRgtjeTJU8x0OX3P
=dl/n
-----END PGP SIGNATURE-----


---
You are currently subscribed to security as: ***********************
To unsubscribe send a blank email to *********************@list.support.compaq.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC