CERT Warns of OpenView, Tivoli Vulnerability

Microsoft Corp. isn’t the only vendor that’s had to scramble lately to patch security vulnerabilities in its software. Last week, the CERT Coordination Center alerted administrators to a severe vulnerability that affects two flagship network management platforms from Hewlett-Packard Co. and IBM Corp. subsidiary Tivoli Systems.

HP’s OpenView and Tivoli’s NetView are comprehensive network management suites that provide integrated discovery, mapping, monitoring, problem identification and remote administrative capabilities. Both suites incorporate broad support for the Simple Network Management Protocol (SNMP) and for a range of SNMP extensions.

According to CERT's advisory, attackers can exploit a vulnerability in an SNMP trap and event handler – dubbed ovactiond – supported by both OpenView and NetView to execute arbitrary commands on a compromised machine.

CERT says that the privilege level at which these commands execute can vary according to the underlying operating system. On Unix systems, commands that execute as a result of this vulnerability are limited to the less serious user bin security context, although CERT claims that on some systems an attacker could leverage bin access to gain root privileges.

On Windows NT and Windows 2000 systems, CERT cautions, an attacker who exploits this vulnerability could execute commands in the all-powerful Local System security context. He or she could then wield complete control over a compromised system.

HP issued a security bulletin in late June in which it claimed that only OpenView version 6.1 is vulnerable by default. Previous versions of OpenView are not vulnerable in their default configurations, HP says. CERT cautions that it’s possible that IT organizations may have enabled functionality which renders the older versions vulnerable.

Tivoli published a similar bulletin, but claimed that NetView versions 5.x and 6.x are not vulnerable in their default configurations. Again, CERT warns, it’s possible that IT organizations may have made changes to their NetView configurations which render these systems vulnerable to attack.

Most network administrators say that the management servers for tools like OpenView or NetView are rarely, if ever, exposed to the Internet.

“At the very least, you want to put [OpenView or NetView management servers] behind a firewall, so really someone on the inside has to [perpetrate an attack],” confirms a Unix and Windows NT/2000 systems administrator with a large telecommunications company. “On the other hand, if you’ve got holes in any systems that you’re exposing to the Internet, someone could come in and exploit this to do a lot of damage.”

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


  • Secured-Core PCs Promise To Stop Malware at the Firmware Level

    Microsoft and its hardware partners recently described new "Secured-core" PCs, which add protections against firmware-based attacks.

  • How To Ransomware-Proof Your Backups: 4 Key Best Practices

    Backups are the only guaranteed way to save your data after a ransomware attack. Here's how to make sure your backup strategy has ransomware mitigation built right in.

  • Microsoft Buys Mover To Aid Microsoft 365 Shifts

    Microsoft announced on Monday that it bought Mover to help organizations migrate data and shift to using Microsoft 365 services.

  • Microsoft Explains Windows 7 Extended Security Updates Setup Process

    Microsoft this week described installation instructions for volume licensing users of Windows 7 Service Pack 1 to get Extended Security Updates (ESU) activated on PCs.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.