Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2001.119 -- ADVISORY SSRT0715
Compaq Management Software Potential Security Vulnerability
26 March 2001
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: All web-enabled Compaq management software
Vendor: Compaq
Operating System: Microsoft Windows 9x, NT and 2000,
NetWare,
SCO Open Server, SCO UnixWare 7
RedHat 6.2 and 7.0,
Tru64Unix and OpenVMS
Platform: Alpha
Intel
Impact: Inappropriate Access
Access Required: Remote
Ref: ESB-2001.018
- --------------------------BEGIN INCLUDED TEXT--------------------
=================================================
Source: Compaq Computer Corporation
/ Software Security Response Team
Title: SSRT0715 Compaq Management Software Security
Vulnerability
Date: 22-MAR-2001
=================================================
NOTE: The complete online document is available from
http://www.compaq.com/manage/security and should be
checked frequently for new patch release information.
If a TBD is entered for a product, please contact your
normal Compaq support channel to inquire about a
specific product solution status.
PATCHES SUPERSEDED BY THIS ADVISORY:
SSRT0705 Compaq Web-Enabled Management Software
Security vulnerability.
http://www.compaq.com/products/servers/management/agentsecurity.html
Summary
=======
Compaq is proactive in its approach to quality and security of all
its management software and is committed to responding to
security issues in a judicious manner. This Security Advisory
addresses a potential security vulnerability in Compaq web-enabled
software, which allows the software to act as a generic proxy
server. Compaq strongly recommends that you upgrade your
management agents and utilities to the latest version on Management
CD V5.0 or download & apply the relevant fixes as soon as possible.
These patches also fix the buffer overflow issue reported in
SSRT0705.
Compaq web-enabled management software can act as a generic proxy
server. Internal traffic going out to the Internet can bypass normal
proxy server filtering using the Compaq web-enabled management
software at TCP port 2301 on the proxy server system. In addition
external traffic may be able to infiltrate internal networks by using
the Compaq web-enabled management software at port 2301 on a
server exposed to the internet as a proxy if there is no additional
firewall protection.
Severity
=======
The severity of this problem is high for systems that are connected
to multiple networks, particularly if one network is secure
(an intranet) while the other is insecure (the internet). The
severity of this problem is low for systems that are only
connected to one network.
Compaq strongly recommend that web-enabled agents and utilities are
deployed only in private networks and are not used on the open
Internet or on systems outside the bounds of the firewall. The
implementation of sound security practices, which includes disabling
access to non-essential ports, such as the Compaq Management
ports :2301 and :280, should help to protect customers from external
malicious attacks. Compaq also recommends that strong passwords
are used and are changed regularly.
Scope of The Problem
=================
The web component of Compaq web-enabled management software
provides HTTP services to allow management information to be
accessible through a web browser. Web-enabled management software is
provided for the majority of the operating systems that Compaq
supports on its Intel-based and Alpha-based server and client
systems.
These operating systems include Microsoft Windows 9x, NT and 2000,
NetWare,SCO Open Server 5, SCO UnixWare 7, RedHat 6.2 and 7.0,
Tru64Unix and OpenVMS. Web-enabled management software is also
supported for Compaq storage products.
This Security Advisory applies to all web-enabled Compaq management
software. A list of affected software versions is included at the end
of this Advisory. (table extracted from this text email version.)
Refer to on-line advisory at http://www.compaq.com/manage/security
for the complete list.
Unaffected Software Versions
=======================
The web-enabled component of the Remote Insight Lights-Out Edition
board is NOT affected. Also unaffected are the downloadable
integration modules that Compaq provides to enhance the management
of Compaq platforms from within enterprise management consoles such
as CA Unicenter TNG, Tivoli Enterprise, Tivoli NetView and HP
OpenView.
What Compaq is Doing
==================
Compaq is currently completing the testing and release of fixes for
the affected software. Compaq Management CD Version 5.0 includes an
update that fixes the generic proxy server issue in some Compaq
web-enabled management software. In addition to releasing new
versions of the software, Compaq will also release software patches
to update the web-enabled component of the affected software for
customers who do not want to upgrade their systems to the latest
version.
Two patches are available for download now
from: ftp://ftp.compaq.com/pub/softpaq/sp16001-16500/
Softpaq 16318 fixes the problem for affected versions of Compaq
Foundation Agents for Windows Servers, Compaq Survey for Windows,
Compaq Power Manager, Compaq Availability Agents and Compaq
Intelligent Cluster Administrator. This patch also fixes the problem
for the SNMP and DMI agents installed with Compaq Insight Manager XE
Version 2.0 and 2.1.
Softpaq 16317 fixes the problem for affected versions of the Compaq
Foundation Agents for NetWare servers. New versions of the following
software will be made available. These two patches replace/supersede
Softpaq 14487 and Softpaq 14488 noted in the previous security
advisory SSRT0705 (Jan 2001).
This advisory will be updated as needed to communicate availability
and plans for new versions of all the affected software.
For Tru64 UNIX a new version of the Agents, V2.2, packaged in the
form of a setld tar kit, is available from the Compaq Management CD
Version 5.0, or can be downloaded from the following FTP support
site: http://ftp.support.compaq.com/public/unix/ On the Tru64 UNIX
FTP support site, the kit "MUPssrt0715u_cpqim.tar" along with its
Readme file "MUPssrt0715_cpqim.Readme" can be found under each
of the impacted Unix directories which include: 4.0f, 4.0g, 5.0,
5.0a, and 5.1. The Readme file provides the installation steps for
the
patch kit. MUPssrt0715 supersede MUPssrt0705 for Tru64 UNIX.
For Open VMS a fix for this problem will be provided in Version 2.2
of the Management Agents for OpenVMS via our web site:
http://www.openvms.compaq.com/openvms/products/mgmt_agents
Version 2.2 of the Management agents should be available at this web
site in late March or early April.
Compaq Management Agents for Desktops and Workstations version 4.37,
Rev G (SP16951) will be available on 3/23/2001.
LC Combined Client 1.50 Rev C (SP16622) (containing updated Client
agents, LCRMS, and Diagnostics) will be available before mid April.
What Customers Should Do
======================
Determine which systems are running Compaq web-enabled agents or
utilities. There are three methods suggested. Note that the lists
generated by Methods 2 and 3, while helpful, may not be exhaustive
lists of the systems with web agents and utilities on your network.
The lists will include only those systems that are being managed
either explicitly or because they have been discovered.
Method 1
Point a web browser at the system and key in
http://[IP_ADDRESS]:2301 or http://[machine_name]:2301.
This will bring up the device home page for the server if it is
running web-enabled management software, and display a list of the
components.
Method 2
If you are using Compaq Insight Manager XE, you can get a list of
systems running the web agents by defining a Query to return a
list of systems with web agents. Login to your Compaq Insight
Manager XE system and create a new Query. Select the "Devices with
Web Agent" criteria. Further, select all of the available products on
the Criteria Configuration screen. Save the Query and execute it. The
list of devices will be all those with web agents.
Method 3
If you are using the Compaq Insight Manager Windows 32 console,
you can get a list of systems running the web agents by starting
Compaq Insight Manager and selecting the "Web Device List" button
on the toolbar. This will display a list of systems being managed
by Compaq Insight Manager and additionally will have underlined as
hyperlinks the systems on which the web agents are present and
enabled. To print out a list of only the web devices select the
"Web Devices" hyperlink in the left column and only web devices
will be shown. Simply print this page from your browser.
If for any reason you cannot wait until the fix is released, Compaq
recommends that you temporarily disable the web component of Compaq
management software on any systems where you have particular
concerns. Follow the procedures outlined at the end of this advisory.
Compaq has always advised that web-enabled agents and utilities are
deployed only in private networks and are not used on the Internet
or on systems outside the bounds of a firewall. You should also
verify that you have disallowed access to non-essential IP ports on
your firewall or proxy protecting your corporate network from the
Internet. The disabling of such ports, which include port 2301
(device management port) and port 280 (Compaq Insight Manager XE
port), is part of a sound security policy for your network.
Updated software will be made available on the web through the
system software download site
(http://www.compaq.com/support/files/server/us/index.html) and will
also be proactively delivered directly to customers who have
installed Compaq ActiveUpdate http://www.compaq.com/activeupdate.
Compaq recommends that you register for the ActiveUpdateservice if
you have not already done so.
Obtaining Support on this Issue
=========================
Your normal process for obtaining support on Compaq products should
be pursued for the country that you are in. If you do not have an
already established support process, you may find information about
support by visiting the Compaq Web site for your country. You can
find that Web site by picking your country from the list at
http://www.compaq.com/worldwide/.
You may also find a support number for your locale from the table at
http://www.compaq.com/corporate/overview/world_offices.html.
Support can help you to:
1. Identify if you have an affected release.
2. Obtain the appropriate Softpaq when it is available.
3. Apply and run the Softpaq.
Compaq support personnel are aware of the issues and the fixes and
are well versed in Compaq systems management products.
Disabling the Web-Enabled Agents
============================
If you are unable to wait for the fix to become available, you can
use the following procedures to disable the web component of the
agents. For those cases where it is not possible to disable only the
web component, we have provided instructions for disabling the
entire agent or utility.
Microsoft Windows Servers
Web-based management is enabled, by default, when you install the
Compaq Server Management Agents for Windows NT. Perform the
following steps to disable web-based management.
1. From the START menu, select SETTINGS, the CONTROL PANEL.
2. From the CONTROL PANEL, select and run the SERVICES applet.
3. Select INSIGHT WEB AGENT from the list of services.
4. If it is running, click the button marked STOP
5. To prevent it from automatically starting again, click STARTUP
and then select DISABLED.
6. Click OK.
7. Click CLOSE.
This will stop the web agents and prevent them from starting
automatically. SNMP management is still possible.
For Windows 2000 - Right click My Computer on the desktop; select
Manage. This will display a window titled "Computer Management",
Click the "Services" item under the "Services and Applications"
node. The right side of the window will show the services installed
on the system.
NetWare Server Agents
If you enabled Web-Based Management when you installed the Compaq
Management Agents for NetWare, and later would like to disable it,
perform the following steps from the NetWare server console:
1. LOAD CPQAGIN
2. Select the option "Configure Existing NetWare Agents"
3. Select the line that mentions the load of CPQWEBAG and select
NO
4. Save changes and exit out of CPQAGIN.
This prevents the web-enabled agents from loading. SNMP management
is still possible.
Linux Server Agents
1. To stop running Web Agent
- Log in as "root"
- Run "/etc/rc.d/init.d/cmafdtn stop cmawebd"command.
2. To disable Web Agent so it will not be started during reboot or
runlevel changes
- Log in as "root"
- Edit "/etc/rc.d/init.d/cmafdtn" file (using vi or
other editors)
and remove "cmawebd" from following line
PNAMES="cmafdtnpeerd cmahostd cmathreshd cmawebd"
SCO UnixWare 7 Agents (UnixWare 2 agents are NOT Web-Enabled)
1. To stop running Web Agent
- Log in as "root"
- Run "sh /etc/init.d/cmaweb stop" command.
2. To disable Web Agent so it will not be started
during reboot or
entering multi-user mode
- Log in as "root"
- Run "rm /etc/rc2.d/[SK]*cmaweb" command.
SCO OpenServer Agents
1. To stop running Web Agent
- Log in as "root"
- Run "sh /etc/cmaweb stop" command.
2. To disable Web Agent so it will not be started
during reboot or
entering multi-user mode
- Log in as "root"
- Run "rm /etc/rc2.d/[SK]*cmaweb" command.
Survey for Windows and Survey for NetWare
It is not possible to disable only the web-component of
Survey. Follow the instructions below to disable the full
service:
Survey for Windows
From the command prompt, type the following command:
%SystemDrive%COMPAQSURVEYSURVEY-U. . This will
unload the Survey service and prevent it from starting up on the
next reboot.
Survey for NetWare
To unload Survey for Netware from the console screen,
type the following command: UNLOAD SURVEY During the default
Survey install, Survey is automatically started by adding the
line "load SURVEY -w10 -cWed.12,7 " to the AUTOEXEC.NCF. To
prevent Survey from automatically starting next time the server is
restarted, remove that line.
System Healthcheck
Change to the SHC bin directory ( e.g.
cd%systemdrive%compaqshcin)
First, stop the service by typing "net stop cpqshc".
Next, remove the service by typing "shcsvc -remove".
Note that the command line interface to SHC will
continue to work
Compaq Power Agents
To stop running Web Agent
- - - - - From the Windows Control Panel, double-click
"Services"
- - - - - In the Services dialog list box, click on "CompaqPower
Management Web Agent"
- - - - - Click the "Stop" button to stop the Agent
To prevent the service from being restarted.
- - - - - Click on the "Startup..." button and choose"Disabled";
click "OK".
OpenVMS Management Agents
To stop running Web Agent
- Log into the system account
- For V1.0 and V2.0 $@sys$specific:[wbem]stop_webagents
- For V2.1 $@sys$specific:[wbem]wbem$shutdown
A fix for this problem will be provided in Version 2.2 of the
Management Agents for OpenVMS via our web site:
http://www.openvms.compaq.com/openvms/products/mgmt_agents Version
2.2 of the Management agents should be available at this web site in
late March or early April.
Compaq Management Agents and Tools for Servers for SCO UnixWare 7
NonStop Clusters
To stop running Web Agent
- Login as "root".
- Exexcute the following two command lines.
-execute `onall /etc/init.d/cmaweb stop`
-`chmod 777 /etc/init.d/cmaweb 000`
Tru64 UNIX Management Agents
To stop running Web Agent
- Log in as "root"
- Execute "/sbin/init.d/insightd stop" command.
To disable the Web Agents so they will not be started
during reboot or entering multi-user mode
- Log in as "root"
- On Tru64 UNIX V4.0f and V4.0g, execute "rm
/sbin/rc2.d/*insightd"
- On Tru64 UNIX V5.0 and later, execute the command:
"/usr/sbin/rcmgr set INSIGHTD_CONF -1"
To enable the Web Agents again once the Patch Kit has been
installed - Log in as "root"
- On Tru64 UNIX V4.0f and V4.0g
- execute "ln -s
/sbin/init.d/insightd/sbin/rc2.d/Kxxinsightd"
where xx is any sequence Nb after the one used for
snmpd
- On Tru64 UNIX V5.0 and later, execute the command:
"/usr/sbin/rcmgr set INSIGHTD_CONF 1"
Desktop and Portable web-enabled agents
To remove the web-enabled components from the desktop and portables
agents, follow the instructions below to uninstall the agents using
the add/remove feature in Windows systems, then reinstall the agents
without the DMI web components
Uninstalling Web-enabled Desktop Agent from a Windows 9x/NT system
1. From the START menu, select SETTINGS, then CONTROLPANEL.
2. From the CONTROL PANEL, select ADD/REMOVE PROGRAMS
3. In the INSTALL/UNINSTALL tab, select "Compaq Insight
Management Web Agent"
4. Click ADD/REMOVE button to remove the agent.
For desktops and workstations do not check "DMI Web Component"
during the installation
To install the Compaq Management Agents for portables without web
support, select "custom" and then select "DMI options". Click on
the "Change" button. Remove the check marks for "Compaq DMI Web
Agent" and "Compaq DMI Web Viewer".
COMPAQ AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO
REPRESENTATIONS ABOUT THE SUITABILITY OF THE
INFORMATION CONTAINED IN THE DOCUMENTS AND
RELATED GRAPHICS AND/OR SOFTWARE PUBLISHED
ON THIS SERVER FOR ANY PURPOSE. ALL SUCH DOCUMENTS
AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT
WARRANTY OF ANY KIND AND ARE SUBJECT TO CHANGE
WITHOUT NOTICE. THE ENTIRE RISK ARISING OUT OF THEIR
USE REMAINS WITH THE RECIPIENT. IN NO EVENT SHALL
COMPAQ AND/OR ITS RESPECTIVE SUPPLIERS BE LIABLE FOR
ANY DIRECT, CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE
OR OTHER DAMAGES WHATSOEVER (INCLUDING WITHOUT
LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS,
BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION),
EVEN IF COMPAQ HAS BEEN ADVISED OF THE POSSIBILITY
OF SUCH DAMAGES.
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOr9J+Ch9+71yA2DNAQEcnAP/Qsxis4meR9SIy5nDCwF7wN7VNzk0tKXX
Gy+HzIpL8JbDygACXDZOrPxwoPvOen1qeJS/6ktW0USVSju2LCx1vsh8CeTdCoh/
ysQKmtXxpb7zV96yKw2m03PlZ0/OcfeXxCFSFiz/zR5zKBszFtxaspvgnqZCCerR
ux5Gezsme6I=
=vr+8
-----END PGP SIGNATURE-----