SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#673228

HP OpenView Storage Data Protector may allow an attacker to execute arbitrary commands

Overview

A vulnerability in HP OpenView Storage Data Protector may allow an attacker to issue arbitrary commands on an affected system.

I. Description

HP Openview

HP Openview is a range of products, distributed and developed by Hewlett Packard, that are used for enterprise system and network monitoring.

HP OpenView Storage Data Protector
HP OpenView Storage Data Protector manages backup and recovery processes across local networks and storage area networks (SAN). The software uses a proprietary protocol for communications between the central backup server (Cell Manager) and clients (Agents).

The problem
On HP OpenView Storage Data Protector 5.1 and 5.5, it may be possible for an attacker to create a specially crafted packet that will pass commands to the backup agents with no authentication or input validation.

II. Impact

An remote, unauthenticated attacker may be able execute arbitrary commands on the backup agents with system privileges.

III. Solution

Apply a patch from the vendor
HP has released patches to address this issue. Please see the systems affected section of this document for more information.

Restrict access
Restricting network access to the backup agents may mitigate this vulnerability. The Administrator's Guide provides instructions on configuring the HP OpenView Storage Data Protector software.

Systems Affected

VendorStatusDate NotifiedDate Updated
Hewlett-Packard CompanyVulnerable23-Aug-2006

References


http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c00742778&jumpid=reg_R1002_USEN
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00742778
http://www.uniras.gov.uk/niscc/docs/re-20060811-00547.pdf?lang=en
http://secunia.com/advisories/21485/
http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00663793/c00663793.pdf

Credit

This vulnerability was originally reported by NISCC.

This document was written by Ryan Giobbi.

Other Information

Date Public:2006-08-14
Date First Published:2006-08-23
Date Last Updated:2007-01-12
CERT Advisory: 
CVE-ID(s):CVE-2006-4201
NVD-ID(s):CVE-2006-4201
US-CERT Technical Alerts: 
Metric:0.94
Document Revision:27

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader