Critical vulnerabilities in HP OpenView

A trio of vulnerabilities in HP OpenView Network Node Manager (NNM) can be exploited remotely via buffer overflow to compromise mission-critical servers within an organization using the software. Successful exploitation of the vulnerabilities requires that attackers send specially crafted HTTP requests to HP OpenView’s web server component to execute arbitrary code on the target system.

HP OpenView NNM is one of the most widely-deployed remote network management technologies used throughout enterprise organizations today, allowing network managers to monitor their physical networks, virtual network services and the relationships between those assets. The software aims to help administrators identify, diagnose and predict potential problems before they affect network performance and availability.

HP has issued a security update that addresses the vulnerable OpenView NNM 7.51 and 7.53 versions of the solution.

Vulnerability details

While investigating the feasibility of exploiting a set of vulnerabilities previously disclosed in HP OpenView NNM by researchers at Secunia (CVE-2008-4559, CVE-2008-4560, CVE-2008-4561, CVE-2008-4562, CVE-2009-0205) and addressed by HP in a subsequent security advisory (c01661610), CoreLabs researchers discovered two additional, unreported buffer overflow vulnerabilities in the product.

Researchers also found during their reviews that one of the previously reported buffer overflow issues in OpenView NNM could still be exploited, even when the vendor-provided security patch designed to fix the problem was applied.

OpenView NNM versions 7.51 and 7.53, and version 7.53 with the aforementioned HP security patch (NNM_01195) applied, all harbored the three reported vulnerabilities. The two heap-based buffer overflows reported were newly discovered vulnerabilities because the issues were not fixed with the latest security patch and were not mentioned in any existing advisories published by HP.

In the case of the third OpenView NNM vulnerability, which was first reported by Secunia and was addressed by HP in its advisory, CoreLabs researchers found that they were still able to successfully exploit the issue and create proof of concept code for doing so, even with the latest patch in place.

When first researching all the reported OpenView NNM buffer overflow vulnerabilities, CoreLabs experts found it difficult to differentiate whether the flaws they were investigating were indeed the same issues that HP had recently addressed in its security advisories.

After researching the issue further and examining the technical underpinnings of the HP advisory, it became evident that two of the problems were new, while one of the vulnerabilities may have been previously identified.

The complexity of this process highlights a challenge that faces the entire vulnerability research and IT security industry in terms of working with technology vendors in reporting and responding to vulnerability data.