TUCoPS :: Web :: General :: ciacl042.htm

Compaq Web-enabled Management Software Buffer Overflow
Compaq Web-enabled Management Software Buffer Overflow Privacy and Legal Notice

CIAC INFORMATION BULLETIN

L-042: Compaq Web-enabled Management Software Buffer Overflow

February 7, 2001 01:00 GMT

PROBLEM: The web-enabled management software has a bounds checking error in the authentication code, allowing certain buffer overflows to occur.
PLATFORM: All operating systems running Compaq Web Management Software for Compaq Intel, Alpha, and Storage Hardware platforms to include: Microsoft Windows 9x, NT and 2000, NetWare, SCO Open Server, SCO UnixWare 7, RedHat 6.2 and 7.0, Tru64Unix and OpenVMS.
DAMAGE: Exploiting this buffer overflow could result in Administrator/root compromise. This exploit can be executed remotely.
SOLUTION: Apply the patches specified in the advisory.

VULNERABILITY
ASSESSMENT:
HIGH. This exploit can be executed remotely and results in a root compromise.

[****** Start Compaq Security Advisory ******]
=================================================
      Compaq Security Advisory  - ID SSRT0705
=================================================
UPDATED: 26-Jan-2001

Source: Compaq Computer Corporation
 Title: Compaq Web-Enabled Management Software
        Security vulnerability.
        Reference SSRT0705
  Date: 10-Jan-2001
=================================================

NOTE:  The complete online document is available from
http://www.compaq.com/products/servers/management/agentsecurity.html and should
be checked frequently for new patch release information. If a TBD is entered
for a product, please contact your normal Compaq support channel to inquire
about a specific product solution status.


Summary
=======
Compaq continues to take a serious approach to the quality and security of all
its software products and makes every effort to address issues and provide
solutions in a timely manner. In line with this commitment, Compaq is
responding to recent concerns on a potential security vulnerability in the web-
enabled Compaq management software. This vulnerability has the potential to
enable unauthorized users to execute code at an administrator level through the
exploitation of a buffer overflow.

Scope of the problem
================
This Security Advisory applies to all web-enabled Compaq management software. A
list of affected software versions is included at the end of this Advisory.

The web component of Compaq web-enabled management software provides HTTP
services to allow management information to be accessible through a web
browser. Web-enabled management software is provided for the majority of the
operating systems that Compaq supports on its Intel and Alpha server and client
systems. These operating systems include Microsoft Windows 9x, NT and 2000,
NetWare, SCO Open Server, SCO UnixWare 7, RedHat 6.2 and 7.0, Tru64Unix and
OpenVMS. Web-enabled management software is also supported for Compaq storage
products.

Unaffected Software Versions
=======================
The web-enabled component of the Remote Insight Lights-out Edition board is NOT
affected. Also unaffected are the downloadable integration modules that Compaq
provides to enhance the management of Compaq platforms from within enterprise
management consoles such as CA Unicenter TNG, Tivoli Enterprise, Tivoli NetView
and HP OpenView.

What Compaq is doing
==================
Compaq is currently completing the testing and release of fixes for the
affected software. In addition to releasing new versions of the software,
Compaq will also release software patches to update the web-enabled component
of the affected software for customers who do not want to upgrade their systems
to the latest version.

Two Softpaqs are available for download now from
ftp://ftp.compaq.com/pub/softpaq/sp14001-14500/

Softpaq SP14487 fixes the problem for affected versions of
   Compaq Foundation Agents for Windows Servers, Compaq
   Survey for Windows, Compaq Power Manager, Compaq
   Availability Agents and Compaq Intelligent Cluster
   Administrator. This patch also fixes the problem for the
   SNMP and DMI agents installed with Compaq Insight
   Manager XE Version 2.0 and 2.1.

Softpaq SP14488  fixes the problem for affected versions of the
   Compaq Foundation Agents for NetWare servers.

New versions of the following software will be made available
shortly:
Compaq Foundation Agents for Windows (CP000715)
Compaq Survey for Windows (CP000716)
Compaq Foundation Agents for NetWare (Softpaq SP14484)
Compaq Survey for NetWare (Softpaq SP14485)
Compaq Foundation Agents for Linux (Softpaq SP14486)
Compaq Foundation Agents for SCO OpenServer 5 ( Softpaq SP16248)
Compaq Foundation Agents for UnixWare 7 (Softpaq SP16247)

For Tru64 UNIX a new version of the Agents, packaged in the form of a setld tar
kit, is available for download from the following support site:
http://ftp.support.compaq.com/public/unix/  The tar file MUPssrt0705u_cpqim.tar
along with its Readme file MUPssrt0705_cpqim.Readme can be found under each of
the impacted unix directories which include: 4.0f, 4.0g, 5.0, 5.0a, and 5.1.
The Readme file provides the installation steps for the patch kit.

Compaq OpenVMS engineering has provided a fix for this potential problem for
all affected versions of the software.The required image can be obtained from
the Compaq Management Agentsfor OpenVMS web site at the following URL (in the
Updates section at the bottom of the page):
http://www.openvms.compaq.com/openvms/products/mgmt_agents/index.html

This advisory will be updated as needed to communicate availability and plans
for new versions of all the affected software.

What Customers Should Do
======================
Determine which systems are running Compaq web-enabled agents or utilities.
There are three methods suggested. Note that the lists generated by Methods 2
and 3, while helpful, may not be exhaustive lists of the systems with web
agents and utilities on your network. The lists will include only those systems
that are being managed either explicitly or because they have been discovered.

Method 1
========
Point a web browser at the system and key in
http://[IP_ADDRESS]:2301 or http://[machine_name]:2301.
This will bring up the device home page for the server if it is  running web-
enabled management software, and display a list of the components.

Method 2
========
If you are using Compaq Insight Manager XE, you can get a list of systems
running the web agents by defining a Query to return a list of systems with web
agents. Login to your Compaq Insight Manager XE system and create a new Query.
Select the "Devices with Web Agent" criteria. Further, select all of the
available products on the Criteria Configuration screen. Save the Query and
execute it. The list of devices will be all those with web agents.

Method 3
========
If you are using the Compaq Insight Manager Windows 32 console, you can get a
list of systems running the web agents by starting Compaq Insight Manager and
selecting the "Web Device List" button on the toolbar. This will display a list
of systems being managed by Compaq Insight Manager and additionally will have
underlined as hyperlinks the systems on which the web agents are present and
enabled. To print out a list of only the web devices select the "Web Devices"
hyperlink in the left column and only web devices will be shown. Simply print
this page from your browser.

If for any reason you cannot wait until the fix is released, Compaq recommends
that you temporarily disable the web component of Compaq management software on
any systems where you have particular concerns. Follow the procedures outlined
at the end of this advisory.

Compaq has always advised that web-enabled agents and utilities are deployed
only in private networks and are not used on the Internet or on systems outside
the bounds of a firewall. You should also verify that you have disallowed
access to non-essential IP ports on your firewall or proxy protecting your
corporate network from the Internet. The disabling of such ports, which include
port 2301 (device management port) and port 280 (Compaq Insight Manager XE
port), is part of a sound security policy for your network.

Updated software will be made available on the web through the system software
download site
(http://www.compaq.com/support/files/server/us/index.html) and will also be
proactively delivered directly to customers who have installed Compaq
ActiveUpdate (http://www.compaq.com/activeupdate).Compaq recommends that you
register for the ActiveUpdate service if you have not already done so.

Obtaining Support on this Issue
=========================
Your normal process for obtaining support on Compaq products should be pursued
for the country that you are in. If you do not have an already established
support process, you may find information about support by visiting the Compaq
Web site for your country. You can find that Web site by picking your country
from the list at http://www.compaq.com/worldwide/.
You may also find a support number for your locale from the table at
http://www.compaq.com/corporate/overview/world_offices.html.
Support can help you to:
1. Identify if you have an affected release.
2. Obtain the appropriate Softpaq when it is available.
3. Apply and run the Softpaq.
Compaq support personnel are aware of the issues and the fixes and are well
versed in Compaq systems management products.

- - --< refer to table listed on the website for product list>--
 http://www.compaq.com/products/servers/management/agentsecurity.html


Disabling the Web-Enabled Agents
============================
If you are unable to wait for the fix to become available, you can use the
following procedures to disable the web component of the agents.
For those cases where it is not possible to disable only the web component, we
have provided instructions for disabling the entire agent or utility.

Microsoft Windows Servers
Web-based management is enabled, by default, when you install the Compaq Server
Management Agents for Windows NT. Perform the following steps to disable web-
based management.
1. From the START menu, select SETTINGS, the CONTROL PANEL.
2. From the CONTROL PANEL, select and run the SERVICES applet.
3. Select INSIGHT WEB AGENT from the list of services.
4. If it is running, click the button marked STOP
5. To prevent it from automatically starting again, click STARTUP and
then select MANUAL.
6. Click OK.
7. Click CLOSE.
This will stop the agent and prevent them from starting
automatically. SNMP management is still possible.

NetWare Server Agents
If you enabled Web-Based Management when you installed the Compaq
Management Agents for NetWare, and later would like to disable it,
perform the following steps from the NetWare server console:
1. LOAD CPQAGIN
2. Select the option "Configure Existing NetWare Agents"
3. Select the line that mentions the load of CPQWEBAG and select NO
4. Save changes and exit out of CPQAGIN.
This prevents the web-enabled agents from loading. SNMP management is
still possible.

Linux Server Agents
1. To stop running Web Agent
- - - Log in as "root"
- - - Run "/etc/rc.d/init.d/cmafdtn stop cmawebd" command.
2. To disable Web Agent so it will not be started during reboot
or runlevel changes
- - - Log in as "root"
- - - Edit "/etc/rc.d/init.d/cmafdtn" file (using vi or other editors)
and remove "cmawebd" from following line
PNAMES="cmafdtnpeerd cmahostd cmathreshd cmawebd"

SCO UnixWare 7 Agents (UnixWare 2 agents are NOT Web-Enabled)
1. To stop running Web Agent
- - - Log in as "root"
- - - Run "sh /etc/init.d/cmaweb stop" command.
2. To disable Web Agent so it will not be started during reboot or
entering multi-user mode
- - - Log in as "root"
- - - Run "rm /etc/rc2.d/[SK]*cmaweb" command.
SCO OpenServer Agents
1. To stop running Web Agent
- - - Log in as "root"
- - - Run "sh /etc/cmaweb stop" command.
2. To disable Web Agent so it will not be started during reboot or
entering multi-user mode
- - - Log in as "root"
- - - Run "rm /etc/rc2.d/[SK]*cmaweb" command.

Survey for Windows and Survey for NetWare
It is not possible to disable only the web-component of Survey.
Follow the instructions below to disable the full service:
Survey for Windows
- - From the command prompt, type the following
command: %SystemDrive%\COMPAQ\SURVEY\SURVEY-U. .
This will unload the Survey service and prevent it from starting up
on the next reboot

Survey for NetWare
To unload Survey for Netware from the console screen, type the
following command: UNLOAD SURVEY During the default Survey install,
Survey is automatically started by adding the line
"load SURVEY -w10 -cWed.12,7 " to the AUTOEXEC.NCF.
To prevent Survey from automatically starting next time the server
is restarted, remove that line.

System Healthcheck
Change to the SHC bin directory
 ( e.g. cd%systemdrive%\compaq\shc\bin)
First, stop the service by typing "net stop cpqshc".
Next, remove the service by typing "shcsvc -remove".
Note that the command line interface to SHC will continue to work

Compaq Power Agents
1. To stop running Web Agent
- - - From the Windows Control Panel, double-click "Services"
- - - In the Services dialog list box, click on
"Compaq Power Management Web Agent"
- - - Click the "Stop" button to stop the Agent
2. To prevent the service from being restarted.
- - - Click on the "Startup..." button and choose "Disabled"; click "OK".

OpenVMS Management Agents
1. To stop running Web Agent
- - - Log into the system account
- - - For V1.0 and V2.0 $@sys$specific:[wbem]stop_webagents
- - - For V2.1 $@sys$specific:[wbem]wbem$shutdown

Compaq Management Agents and Tools
 for Servers for SCO UnixWare 7 NonStop Clusters
1. To stop running Web Agent
- - - Login as "root".
- - - Exexcute the following two command lines.
   -execute `onall /etc/init.d/cmaweb stop`
   -`chmod 777 /etc/init.d/cmaweb 000`

Tru64 UNIX Management Agents
1. To stop running Web Agent
- - - Log in as "root"
- - - Execute "/sbin/init.d/insightd stop" command.
2. To disable the Web Agents so they will not be started
during reboot or entering multi-user mode
- - - Log in as "root"
- - - On Tru64 UNIX V4.0f and V4.0g, execute "rm /sbin/rc2.d/*insightd"
- - - On Tru64 UNIX V5.0 and later, execute the command: "/usr/sbin/rcmgr
set INSIGHTD_CONF -1
3. To enable the Web Agents again once the Patch Kit has been
installed - Log in as "root"
- - - On Tru64 UNIX V4.0f and V4.0g
- - - execute "ln -s /sbin/init.d/insightd/sbin/rc2.d/Kxxinsightd"
where xx is any sequence Nb after the one used for snmpd
- - - On Tru64 UNIX V5.0 and later, execute the
command: "/usr/sbin/rcmgr set INSIGHTD_CONF 1"

Desktop and Portable web-enabled agents
To remove the web-enabled components from the desktop
and portables agents, follow the instructions below to uninstall
the agents using the add/remove feature in Windows systems,
then reinstall the agents without the DMI web components
Uninstalling Web-enabled Desktop Agent from a Windows 9x/NT system
1. From the START menu, select SETTINGS, then CONTROL PANEL.
2. From the CONTROL PANEL, select ADD/REMOVE PROGRAMS
3. In the INSTALL/UNINSTALL tab, select
"Compaq Insight Management Web Agent"
4. Click ADD/REMOVE button to remove the agent.
For desktops and workstations do not check "DMI Web Component"
during the installation

To install the Compaq Management Agents for portables without web
support, select "custom" and then select "DMI options". Click on the
"Change" button. Remove the check marks for "Compaq DMI Web Agent"
and "Compaq DMI Web Viewer".


COMPAQ AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE
SUITABILITY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS
AND/OR SOFTWARE PUBLISHED ON THIS SERVER FOR ANY PURPOSE. ALL SUCH DOCUMENTS
AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND AND ARE
SUBJECT TO CHANGE WITHOUT NOTICE. THE ENTIRE RISK ARISING OUT OF THEIR USE
REMAINS WITH THE RECIPIENT. IN NO EVENT SHALL COMPAQ AND/OR ITS RESPECTIVE
SUPPLIERS BE LIABLE FOR ANY DIRECT, CONSEQUENTIAL, INCIDENTAL, SPECIAL,
PUNITIVE OR OTHER DAMAGES WHATSOEVER (INCLUDING WITHOUT LIMITATION, DAMAGES FOR
LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS
INFORMATION), EVEN IF COMPAQ HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.

[******  End Compaq Security Advisory ******]

CIAC wishes to acknowledge the contributions of Compaq for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH