OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Chris Wysopal (weldvulnwatch.org)
Date: Mon Oct 01 2001 - 12:25:28 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

        NO RESTRICTION FOR DISTRIBUTION
     PROVIDED THE ADVISORY REMAINS INTACT

    TITLE: SSRT0758 Compaq Management Software Security Advisory
    Date Posted: September 28, 2001

    (c) Copyright 2001 Compaq Computer Corporation. All rights reserved.

    Compaq Management Software Security Vulnerability (SSRT0758)

    SOURCE: Software Security Response Team U.S.
            Compaq Computer Corporation
            *Reference SSRT0758*

    PATCHES SUPERSEDED BY THIS ADVISORY:

    The software upgrades and patches also fix all previous
    Compaq Management Software security vulnerabilities
    reported in the following Compaq Security Advisories:

    * Compaq Management Software Security Vulnerability - SSRT0715
      (March, 2001)
    * Compaq Web-enabled Management Software Security Vulnerability
      - SSRT0705 (January 2001)

    SUMMARY

    Compaq Management Software products undergo rigorous quality
    assurance processes to ensure that they meet the highest possible
    standards for security, reliability and usability. In line with
    this commitment, Compaq recently uncovered a potential buffer
    overflow security vulnerability in its Web-enabled Management
    Software. This vulnerability has the potential to enable unauthorized
    users to execute code at an administrator level through the
    exploitation of a buffer overflow. Compaq has addressed this
    issue with version 5.2 of the Compaq Management Agents and developed
    a patch that may be downloaded from the Compaq website (see details
    below) to fix existing Agents installations.

    Compaq strongly recommends that customers upgrade to
    version 5.2 of the Compaq Management Agents or apply
    the appropriate patch.

    Compaq strongly recommends that web-enabled agents and utilities
    be deployed only on private networks and are not used on the open
    Internet or on systems outside the bounds of the firewall. The
    implementation of sound security practices, which includes disabling
    external access to Compaq management ports should help to protect
    customers from external malicious attacks. Compaq also recommends
    that strong password standards are used and that passwords are
    changed regularly.

    NOTE: The complete online document is available from
          http://www.compaq.com/manage/security and should be
          checked frequently for new patch release information.
          If a TBD is entered for a product, please contact your
          normal Compaq support channel to inquire about a
          specific product solution status.

    SCOPE OF THE PROBLEM

    The web component of Compaq web-enabled management software provides
    HTTP services to allow management information to be accessible
    through a web browser. Web-enabled management software is provided
    for the majority of the operating systems that Compaq supports on
    its Intel-based and Alpha-based server and client systems. These
    operating systems include Microsoft Windows 9x, Windows NT and
    Windows 2000, Novell NetWare, SCO UnixWare 7, Red Hat Linux 6.2
    and 7.0, SuSE Linux 7.0 & 7.1, Tru64 Unix and Open VMS. Web-enabled
    management software is also supported for Compaq storage products.

    This Security Advisory applies to all Compaq Web-enabled Management
    Software. A list of affected software versions is available at
    http://www.compaq.com/products/servers/management/mgtsw-advisory2.html
    (note the url above may wrap unintentionally)

    UNAFFECTED SOFTWARE VERSIONS

    The web-enabled component of the Compaq Remote Insight Lights-Out
    Edition board is NOT affected. Also unaffected are the downloadable
    integration modules that Compaq provides to enhance the management
    of Compaq platforms from within enterprise management consoles such
    as CA Unicenter TNG, Tivoli Enterprise, Tivoli NetView, and HP
    OpenView.

    WHAT COMPAQ IS DOING

    Compaq is currently completing the testing and release of fixes
    for the affected software. Compaq Management CD Version 5.2 includes
    an update that fixes the buffer overflow security vulnerability issue
    in some Compaq Web-enabled Management Software. In addition to
    releasing new versions of the software, Compaq will also
    release software patches to update existing versions of
    the web-enabled management software.

    Three patches are now available for download from:
    ftp://ftp.compaq.com/pub/softpaq/sp17501-18000/

    SoftPaq SP 17926 fixes the problem for affected versions of Compaq
        Foundation Agents for Windows Servers, Compaq Survey for Windows,
        Compaq Power Manager, Compaq Intelligent Cluster Administrator,
        and Compaq Availability Agents. This patch also fixes the problem
        for the SNMP and DMI agents installed with Compaq Insight Manager
        XE Version 2.0 and 2.1. Compaq recommends applying the patch if
        any of the Compaq Management Software mentioned above is
        installed.

    SoftPaq SP 17927 fixes the problem for affected versions of the
        Compaq Foundation Agents for Novell NetWare servers.

    SoftPaq SP 17928 fixes the problem for affected versions of the
        Compaq Foundation Agents for Linux servers

    Compaq Security Advisory SSRT0758 will be updated as needed to
    communicate availability and plans for new versions of all
    the affected software.

    WHAT CUSTOMERS SHOULD DO

    Determine which systems are running Compaq web-enabled agents or
    utilities. There are three methods suggested.

    Method 1

    Point a web browser to the system by keying in
    http://[IP_ADDRESS]: 2301 or http://[machine_name]:2301.

    This will bring up the device home page for any servers running
    web-enabled management software, and display a list of the
    components.

    NOTE: The lists generated by Methods 2 and 3, while helpful, may
    not be exhaustive lists of the systems with web-enabled agents and
    utilities. The lists will include only those systems that are being
    managed either explicitly or because they have been discovered.

    Method 2

    Systems running Compaq Insight Manager XE, can get a list of systems
    running the web-enabled agents by defining a Query to return a list
    of systems with web agents.

     Login to your Compaq Insight Manager XE system and create a new
    Query. Select the "Devices with Web Agent" criteria.
    - - - - Select all of the available products on the Criteria
    Configuration
    screen.
    - - - - Save the Query and execute it.
    The list of devices will be all those with web agents.

    Method 3

    Systems running Compaq Insight Manager Windows 32 console, can get a
    list of systems running the web agents by starting Compaq Insight
    Manager and selecting the "Web Device List" button on the toolbar.
    This will display a list of systems being managed by Compaq
    Insight Manager and additionally will have underlined as
    hyperlinks the systems on which the web agents are present
    and enabled. To print out a list of only the web devices,
    select the "Web Devices" hyperlink in the left column and
    only web devices will be shown. Print this page from your
    browser.

    If for any reason the software cannot be updated or the patch
    applied, Compaq recommends that the web-enabled components
    of Compaq Management Software be temporarily disabled;
    by following the procedures outlined at the end of this
    advisory.

    Compaq has always advised that web-enabled agents and utilities be
    deployed only in private networks and not used on the Internet or on
    systems outside the bounds of a firewall. Verify that you have
    disallowed access to non-essential IP ports on your firewall or proxy
    protecting the corporate network from the Internet. The disabling of
    such ports, which include port 2301 (Device Management Port) and port
    280 (Compaq Insight Manager XE port), is part of a sound security
    policy for your network.

    HOW DO I OBTAIN THE UPDATED COMPAQ MANAGEMENT SOFTWARE OR PATCH?

    Updated software will be made available on the web through the system
    software download site
    (http://www.compaq.com/support/files/server/us/index.html) and will
    also be proactively delivered directly to customers who have
    installed Compaq ActiveUpdate. ). Compaq recommends registering for
    the ActiveUpdate service, which is available at the following
    URL: http://www.compaq.com/activeupdate.

    OBTAINING SUPPORT ON THIS ISSUE

    The normal process for obtaining support on Compaq products is
    pursued in the country of residence. . If you do not have
    an established support process, you may find information
    about support by visiting the Compaq web site for your
    country. You can find that web site by picking your country
    from the list at
    http://www.compaq.com/worldwide/.
    You may also find a support number for your locale from the table
    at http://www.compaq.com/corporate/overview/world_offices.html

    Support can help you to:
    1. Identify if you have an affected version.
    2. Obtain the appropriate SoftPaq when it is available.
    3. Apply and run the SoftPaq.
    Compaq support personnel are aware of the issues and the fixes and
    are well versed in Compaq systems management products.

    DISABLING THE WEB-ENABLED AGENTS

    If you are unable to wait for the fix to become available, you can
    use the following procedures to disable the web component of the
    agents. For those cases where it is not possible to disable only
    the web component, instructions are provided below for disabling
    the entire agent or utility.

    Microsoft Windows Servers
    Web-based management is enabled, by default, when you install the
    Compaq Server Management Agents for Windows NT. Perform the following
    steps to disable web-based management:

    1.From the START menu, select SETTINGS, then CONTROL PANEL.
    2. From the CONTROL PANEL, select and run the SERVICES applet.
    3. Select INSIGHT WEB AGENT from the list of services.
    4. If it is running, click the button marked STOP.
    5. To prevent it from automatically starting again, click STARTUP and
    then select DISABLED.
    6. Click OK.
    7. Click CLOSE.
    This will stop the web agents and prevent them from starting
    automatically. SNMP management is still enabled.

    For Windows 2000 - Right click My Computer on the desktop; select
    Manage.
    This will display a window titled "Computer Management", Click the
    "Services" item under the "Services and Applications" node.
    The right side of the window will show the services
    installed on the system. Perform steps 3 through 7
    from above.

    NetWare Server Agents
    If you enabled web-based management when you installed the Compaq
    Management Agents for NetWare, and later would like to disable it,
    perform the following steps from the NetWare server console:

    1. LOAD CPQAGIN.
    2. Select the option "Configure Existing NetWare Agents".
    3. Select the line that mentions the loading of CPQWEBAG and select
    NO.
    4. Save changes and exit CPQAGIN.
    This prevents the web-enabled agents from loading. SNMP management is
    still enabled.

    Linux Server Agents
    To stop running web agent:
       1. Log in as "root".
       2. Run "/etc/rc.d/init.d/cmafdtn stop cmawebd" command.
    To disable web agent so it will not start during reboot or run level
    changes:
        1. Log in as "root".
        2. Edit "/etc/rc.d/init.d/cmafdtn" file (using vi or other
    editors)
    and remove "cmawebd" from following line:
    PNAMES="cmafdtnpeerd cmahostd cmathreshd cmawebd"

    SCO UnixWare 7 Agents (UnixWare 2 agents are NOT Web-Enabled)
    To stop running web agent:
        1. Log in as "root":
        2. Run "sh /etc/init.d/cmaweb stop" command.
    To disable web agent so it will not be started during reboot or
    when entering multi-user mode:
        1. Log in as "root".
        2. Run "rm /etc/rc2.d/[SK]*cmaweb" command.

    SCO OpenServer Agents
    To stop running web agent:
       1. Log in as "root".
    - - - - 2. Run "sh /etc/cmaweb stop" command.
    To disable Web Agent so it will not be started during reboot
    or entering multi-user mode:
       1. Log in as "root".
       2. Run "rm /etc/rc2.d/[SK]*cmaweb" command.

    Survey for Windows, Survey for NetWare, and Survey for Linux
    It is not possible to disable only the web-component of Survey
    Utility. Follow the instructions below to disable the full service:
    Survey for Windows
    - - - From the command prompt, type the following
    command: %SystemDrive%\COMPAQ\SURVEY\SURVEY-U. . This will unload
    the Survey service and prevent it from starting up on the next
    reboot.

    Survey for NetWare
    To unload Survey for NetWare from the console screen, type the
    following command: UNLOAD SURVEY

    During the default Survey install, Survey is automatically
    started by adding the line "load SURVEY -w10 -cWed.12,7 "
    to the AUTOEXEC.NCF. To prevent Survey from automatically
    starting next time the server is restarted, remove that line.

    Survey for Linux
    To stop the Survey for Linux web daemon, type the following command:
        kill `ps -e | grep surveywebd | awk '{print $1}'`

    System Healthcheck
    1. Change to the SHC bin directory
    ( e.g. cd %systemdrive%\compaq\shc\bin).
    2. Stop the service by typing "net stop cpqshc".
    3. Remove the service by typing "shcsvc -remove".
    Note that the command line interface to SHC will continue to work.

    Compaq Power Management Agents
    To stop running web agent:
          1. From the Windows Control Panel, double-click "Services".
                 2. In the Services dialog list box, click on "Compaq
    Power Management Web Agent".
          3. Click the "Stop" button to stop the Agent.
    To prevent the service from being restarted, click on the
    "Startup..."
    button and choose "Disabled", and then click "OK"..

    OpenVMS Management Agents
                  To stop running web agent:
          1. Log into the system account.
                    2. For V1.0 and V2.0
    $sys$specific:[wbem]stop_webagents
                    <mailto:$sys$specific:[wbem]stop_webagents>

    3. For V2.1 $sys$specific:[wbem]wbem$shutdown
    <mailto:$sys$specific:[wbem]wbem$shutdown>

    Compaq Management Agents and Tools for Servers for
    SCO UnixWare 7 NonStop Clusters
              To stop running web agent:
        1. Login as "root".
        2. Exexcute the following two command lines:
                   execute `onall /etc/init.d/cmaweb stop`
                            `chmod 777 /etc/init.d/cmaweb 000

    Tru64 UNIX Management Agents
         To stop running Web Agent:
        1. Log in as "root".
        2. Execute "/sbin/init.d/insightd stop" command.
           To disable the Web Agents so they will not be started during
           reboot or when entering multi-user mode:
        1. Log in as "root".
        2. On Tru64 UNIX V4.0f and V4.0g, execute "rm
    /sbin/rc2.d/*insightd".
        3. On Tru64 UNIX V5.0 and later, execute the
           command: "/usr/sbin/rcmgr set INSIGHTD_CONF -1
        To enable the Web Agents again once the Patch Kit has been
    installed:
        1. Log in as "root".
        2. On Tru64 UNIX V4.0f and V4.0g, execute the command:
           "ln -s /sbin/init.d/insightd/sbin/rc2.d/ Kxxinsightd"
           where xx is any sequence Nb after the one used for snmpd

        3. On Tru64 UNIX V5.0 and later, execute the
           command: "/usr/sbin/rcmgr set INSIGHTD_CONF 1".

    Desktop and Portable Web-Enabled Agents
    To remove the web-enabled components from the desktop and
    portables agents, follow the instructions below to uninstall
    the agents using the Add/Remove feature in Windows systems,
    then reinstall the agents without the DMI web components.

    Uninstalling Web-Enabled Desktop Agent from a Windows 9x/NT system
    1. From the START menu, select SETTINGS, then CONTROL PANEL.
    2. From the CONTROL PANEL, select ADD/REMOVE PROGRAMS.
    3. In the INSTALL/UNINSTALL tab, select "Compaq Insight Management
       Web Agent".4. Click ADD/REMOVE button to remove the agent.

    For desktops and workstations, do not check "DMI Web Component"
    during the installation.

    To install the Compaq Management Agents for portables without
    web support, select "custom" and then select "DMI options". Click
    on the "Change" button. Remove the check marks for "Compaq DMI Web
    Agent" and "Compaq DMI Web Viewer".

    COMPAQ AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS
    ABOUT THE SUITABILITY OF THE INFORMATION CONTAINED IN THE
    DOCUMENTS AND RELATED GRAPHICS AND/OR SOFTWARE PUBLISHED
    ON THIS SERVER FOR ANY PURPOSE. ALL SUCH DOCUMENTS AND RELATED
    GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND AND
    ARE SUBJECT TO CHANGE WITHOUT NOTICE. THE ENTIRE RISK ARISING
    OUT OF THEIR USE REMAINS WITH THE RECIPIENT. IN NO EVENT SHALL
    COMPAQ AND/OR ITS RESPECTIVE SUPPLIERS BE LIABLE FOR ANY DIRECT,
    CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE OR OTHER DAMAGES
    WHATSOEVER (INCLUDING WITHOUT LIMITATION, DAMAGES FOR LOSS OF
    BUSINESS PROFITS, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS
    INFORMATION), EVEN IF COMPAQ HAS BEEN ADVISED OF THE POSSIBILITY
    OF SUCH DAMAGES.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0.1

    iQA/AwUBO7UuIjnTu2ckvbFuEQI+JACg+d3ZS7DsFE2V5umduf/yNmtvqJ8An0SD
    zn+3eb75bd1iYa8+LiN2LJXK
    =Peqa
    -----END PGP SIGNATURE-----