A vulnerability was identified in HP OpenView Network Node Manager, which may be exploited by remote attackers to execute arbitrary commands. This flaw is due to an input validation error in the "connectedNodes.ovpl" script that does not properly filter a specially crafted "node" parameter, which may be exploited by a remote attacker to cause arbitrary shell commands to be executed.

Note : The "freeIPaddrs.ovpl", "cdpView.ovpl" and "ecscmg.ovpl" scripts are also affected.

Affected Products

HP OpenView Network Node Manager version 6.2
HP OpenView Network Node Manager version 6.4
HP OpenView Network Node Manager version 7.01
HP OpenView Network Node Manager version 7.50

(on HP-UX, Solaris, Windows NT, Windows 2000, Windows XP, and Linux)

Solution

Apply patches :
http://support.openview.hp.com/patches/

References

http://www.vupen.com/english/advisories/2005/1539
http://itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMA01224

Credits

Vulnerability reported by James Fisher

Changelog

2005-08-26 : Initial release
2005-08-29 : Updated Advisory

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.