[NEWS] Compaq Web-Enabled Management Software Security Vulnerability

From: support@securiteam.com
Date: 10/01/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] Compaq Web-Enabled Management Software Security Vulnerability
Message-Id: <20011001154554.ADCF1138C2@mail.der-keiler.de>
Date: Mon,  1 Oct 2001 17:45:54 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Compaq Web-Enabled Management Software Security Vulnerability
------------------------------------------------------------------------

SUMMARY

Compaq Management Software products undergo rigorous quality assurance
processes to ensure that they meet the highest possible standards for
security, reliability and usability. In line with this commitment, Compaq
recently uncovered a potential buffer overflow security vulnerability in
its Web-enabled Management Software. This vulnerability has the potential
to enable unauthorized users to execute code at an administrator level
through the exploitation of a buffer overflow. Compaq has addressed this
issue with version 5.2 of the Compaq Management Agents and developed a
patch that may be downloaded from the Compaq website (see details below)
to fix existing Agents installations.

Compaq strongly recommends that customers upgrade to version 5.2 of the
Compaq Management Agents or apply the appropriate patch.

Compaq strongly recommends that web-enabled agents and utilities be
deployed only on private networks and are not used on the open Internet or
on systems outside the bounds of the firewall. The implementation of sound
security practices, which includes disabling external access to Compaq
management ports, should help to protect customers from external malicious
attacks. Compaq also recommends that strong password standards are used
and that passwords are changed regularly.

DETAILS

The web component of Compaq web-enabled management software provides HTTP
services to allow management information to be accessible through a web
browser. Web-enabled management software is provided for the majority of
the operating systems that Compaq supports on its Intel-based and
Alpha-based server and client systems. These operating systems include
Microsoft Windows 9x, Windows NT and Windows 2000, Novell NetWare, SCO
UnixWare 7, Red Hat Linux 6.2 and 7.0, SuSE Linux 7.0 & 7.1, Tru64 Unix
and Open VMS. Web-enabled management software is also supported for Compaq
storage products.

This Security Advisory applies to all Compaq Web-enabled Management
Software. A list of affected software versions is available at
 <http://www.compaq.com/products/servers/management/mgtsw-advisory2.html>
http://www.compaq.com/products/servers/management/mgtsw-advisory2.html

Unaffeced software versions:
The web-enabled component of the Compaq Remote Insight Lights-Out Edition
board is NOT affected. Also unaffected are the downloadable integration
modules that Compaq provides to enhance the management of Compaq platforms
from within enterprise management consoles such as CA Unicenter TNG,
Tivoli Enterprise, Tivoli NetView, and HP OpenView.

What Compaq is doing:
Compaq is currently completing the testing and release of fixes for the
affected software. Compaq Management CD Version 5.2 includes an update
that fixes the buffer overflow security vulnerability issue in some Compaq
Web-enabled Management Software. In addition to releasing new versions of
the software, Compaq will also release software patches to update existing
versions of the web-enabled management software.

Three patches are now available for download from:
<ftp://ftp.compaq.com/pub/softpaq/sp17501-18000/>
ftp://ftp.compaq.com/pub/softpaq/sp17501-18000/

SoftPaq SP 17926 fixes the problem for affected versions of Compaq
Foundation Agents for Windows Servers, Compaq Survey for Windows, Compaq
Power Manager, Compaq Intelligent Cluster Administrator, and Compaq
Availability Agents. This patch also fixes the problem for the SNMP and
DMI agents installed with Compaq Insight Manager XE Version 2.0 and 2.1.
Compaq recommends applying the patch if any of the Compaq Management
Software mentioned above is installed.

SoftPaq SP 17927 fixes the problem for affected versions of the Compaq
Foundation Agents for Novell NetWare servers.
 
SoftPaq SP 17928 fixes the problem for affected versions of the Compaq
Foundation Agents for Linux servers.

What customers should do:
Determine which systems are running Compaq web-enabled agents or
utilities. There are three methods suggested.

Method 1
Point a web browser to the system by keying in http://[IP_ADDRESS]: 2301
or http://[machine_name]:2301.

This will bring up the device home page for any servers running
web-enabled management software, and display a list of the components.

NOTE: The lists generated by Methods 2 and 3, while helpful, may not be
exhaustive lists of the systems with web-enabled agents and utilities. The
lists will include either only those systems that are being managed
explicitly or because they have been discovered.

Method 2
Systems running Compaq Insight Manager XE can get a list of systems
running the web-enabled agents by defining a Query to return a list of
systems with web agents.

Login to your Compaq Insight Manager XE system and create a new Query.
Select the "Devices with Web Agent" criteria.
- - - - Select all of the available products on the Criteria Configuration
screen.
- - - - Save the Query and execute it. The list of devices will be all
those with web agents.

Method 3
Systems running Compaq Insight Manager Windows 32 console, can get a list
of systems running the web agents by starting Compaq Insight Manager and
selecting the "Web Device List" button on the toolbar. This will display a
list of systems being managed by Compaq Insight Manager and additionally
will have underlined as hyperlinks the systems on which the web agents are
present and enabled. To print out a list of only the web devices, select
the "Web Devices" hyperlink in the left column and only web devices will
be shown. Print this page from your browser.

If for any reason the software cannot be updated or the patch applied,
Compaq recommends that the web-enabled components of Compaq Management
Software be temporarily disabled; by following the procedures outlined at
the end of this advisory.

Compaq has always advised that web-enabled agents and utilities be
deployed only in private networks and not used on the Internet or on
systems outside the bounds of a firewall. Verify that you have disallowed
access to non-essential IP ports on your firewall or proxy protecting the
corporate network from the Internet. The disabling of such ports, which
include port 2301 (Device Management Port) and port 280 (Compaq Insight
Manager XE port), is part of a sound security policy for your network.

How do I obtain the updated Compaq Management software or patch?
Updated software will be made available on the web through the system
software download site (
<http://www.compaq.com/support/files/server/us/index.html>
http://www.compaq.com/support/files/server/us/index.html) and will be
proactively delivered directly to customers who have installed Compaq
ActiveUpdate. ). Compaq recommends registering for the ActiveUpdate
service, which is available at the following URL:
<http://www.compaq.com/activeupdate> http://www.compaq.com/activeupdate.

Obtaining support for this issue
The normal process for obtaining support on Compaq products is pursued in
the country of residence. . If you do not have an established support
process, you may find information about support by visiting the Compaq web
site for your country. You can find that web site by picking your country
from the list at <http://www.compaq.com/worldwide/>
http://www.compaq.com/worldwide/.
You may also find a support number for your locale from the table at
<http://www.compaq.com/corporate/overview/world_offices.html>
http://www.compaq.com/corporate/overview/world_offices.html

Support can help you to:
1. Identify if you have an affected version.
2. Obtain the appropriate SoftPaq when it is available.
3. Apply and run the SoftPaq. Compaq support personnel are aware of the
issues and the fixes and are well versed in Compaq systems management
products.

Disabling the Web-enabled Agents
If you are unable to wait for the fix to become available, you can use the
following procedures to disable the web component of the agents. For those
cases where it is not possible to disable only the web component,
instructions are provided below for disabling the entire agent or utility.

Microsoft Windows Servers
Web-based management is enabled, by default, when you install the Compaq
Server Management Agents for Windows NT. Perform the following steps to
disable web-based management:

1. From the START menu, select SETTINGS, then CONTROL PANEL.
2. From the CONTROL PANEL, select and run the SERVICES applet.
3. Select INSIGHT WEB AGENT from the list of services.
4. If it is running, click the button marked STOP.
5. To prevent it from automatically starting again, click STARTUP and then
select DISABLED.
6. Click OK.
7. Click CLOSE.
This will stop the web agents and prevent them from starting
automatically. SNMP management is still enabled.

For Windows 2000 - right click My Computer on the desktop; select Manage.

This will display a window titled "Computer Management", Click the
"Services" item under the "Services and Applications" node.
The right side of the window will show the services installed on the
system. Perform steps 3 through 7 from above.

NetWare Server Agents
If you enabled web-based management when you installed the Compaq
Management Agents for NetWare, and later would like to disable it, perform
the following steps from the NetWare server console:

1. LOAD CPQAGIN.
2. Select the option "Configure Existing NetWare Agents".
3. Select the line that mentions the loading of CPQWEBAG and select NO.
4. Save changes and exit CPQAGIN.
This prevents the web-enabled agents from loading. SNMP management is
still enabled.

Linux Server Agents
To stop running web agent:
1. Log in as "root".
2. Run "/etc/rc.d/init.d/cmafdtn stop cmawebd" command.
To disable web agent so it will not start during reboot or run level
changes:

1. Log in as "root".
2. Edit "/etc/rc.d/init.d/cmafdtn" file (using vi or other editors) and
remove "cmawebd" from following line:
PNAMES="cmafdtnpeerd cmahostd cmathreshd cmawebd"

SCO UnixWare 7 Agents (UnixWare 2 agents are NOT Web-Enabled)
To stop running web agent:
1. Log in as "root":
2. Run "sh /etc/init.d/cmaweb stop" command.
To disable web agent so it will not be started during reboot or when
entering multi-user mode:

1. Log in as "root".
2. Run "rm /etc/rc2.d/[SK]*cmaweb" command.

SCO OpenServer Agents
To stop running web agent:
1. Log in as "root".
2. Run "sh /etc/cmaweb stop" command.
To disable Web Agent so it will not be started during reboot or entering
multi-user mode:

1. Log in as "root".
2. Run "rm /etc/rc2.d/[SK]*cmaweb" command.

Survey for Windows, Survey for NetWare, and Survey for Linux It is not
possible to disable only the web-component of Survey Utility. Follow the
instructions below to disable the full service:

Survey for Windows
From the command prompt, type the following command:
%SystemDrive%\COMPAQ\SURVEY\SURVEY-U
This will unload the Survey service and prevent it from starting up on the
next reboot.

Survey for NetWare
To unload Survey for NetWare from the console screen, type the following
command: UNLOAD SURVEY

During the default Survey install, Survey is automatically started by
adding the line "load SURVEY -w10 -cWed.12,7 " to the AUTOEXEC.NCF. To
prevent Survey from automatically starting next time the server is
restarted, remove that line.

Survey for Linux
To stop the Survey for Linux web daemon, type the following command:
kill `ps -e | grep surveywebd | awk '{print $1}'`

System Healthcheck
1. Change to the SHC bin directory (e.g. cd %systemdrive%\compaq\shc\bin).
2. Stop the service by typing "net stop cpqshc".
3. Remove the service by typing "shcsvc -remove".
Note that the command line interface to SHC will continue to work.

Compaq Power Management Agents
To stop running web agent:
1. From the Windows Control Panel, double-click "Services".
2. In the Services dialog list box, click on "Compaq Power Management Web
Agent".
3. Click the "Stop" button to stop the Agent.
To prevent the service from being restarted, click on the "Startup..."
button and choose "Disabled", and then click "OK"..

OpenVMS Management Agents
To stop running web agent:
1. Log into the system account.
2. For V1.0 and V2.0
$@sys$specific:[wbem]stop_webagents
<mailto:$@sys$specific:[wbem]stop_webagents>

3. For V2.1 $@sys$specific:[wbem]wbem$shutdown
<mailto:$@sys$specific:[wbem]wbem$shutdown>

Compaq Management Agents and Tools for Servers for SCO UnixWare 7 NonStop
Clusters
To stop running web agent:
1. Login as "root".
2. Exexcute the following two command lines:
execute `onall /etc/init.d/cmaweb stop`
`chmod 777 /etc/init.d/cmaweb 000

Tru64 UNIX Management Agents
To stop running Web Agent:
1. Log in as "root".
2. Execute "/sbin/init.d/insightd stop" command.

To disable the Web Agents so they will not be started during reboot or
when entering multi-user mode:
1. Log in as "root".
2. On Tru64 UNIX V4.0f and V4.0g, execute "rm /sbin/rc2.d/*insightd".
3. On Tru64 UNIX V5.0 and later, execute the command: "/usr/sbin/rcmgr set
INSIGHTD_CONF -1

To enable the Web Agents again once the Patch Kit has been installed:
1. Log in as "root".
2. On Tru64 UNIX V4.0f and V4.0g, execute the command: "ln -s
/sbin/init.d/insightd/sbin/rc2.d/ Kxxinsightd" where xx is any sequence
Nb after the one used for snmpd
3. On Tru64 UNIX V5.0 and later, execute the command: "/usr/sbin/rcmgr set
INSIGHTD_CONF 1".

Desktop and Portable Web-Enabled Agents
To remove the web-enabled components from the desktop and portables
agents, follow the instructions below to uninstall the agents using the
Add/Remove feature in Windows systems, then reinstall the agents without
the DMI web components.

Uninstalling Web-Enabled Desktop Agent from a Windows 9x/NT system
1. From the START menu, select SETTINGS, then CONTROL PANEL.
2. From the CONTROL PANEL, select ADD/REMOVE PROGRAMS.
3. In the INSTALL/UNINSTALL tab, select "Compaq Insight Management Web
Agent".4. Click ADD/REMOVE button to remove the agent.

For desktops and workstations, do not check "DMI Web Component" during the
installation.

To install the Compaq Management Agents for portables without web support,
select "custom" and then select "DMI options". Click on the "Change"
button. Remove the check marks for "Compaq DMI Web Agent" and "Compaq DMI
Web Viewer".

ADDITIONAL INFORMATION

The information has been provided by <mailto:Rich.Boren@COMPAQ.com>
Boren, Rich (SSRT).

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.