Date: 29 October 1996
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-96.07 AUSCERT Advisory
Vulnerabilities in HP Remote Watch Software
24 October 1996
Last Revised: October 29, 1996
Added HP Security bulletin in Appendix A
Changed vulnerability information
- ----------------------------------------------------------------------------
AUSCERT has received information that there are vulnerabilities in the
Hewlett-Packard Remote Watch Software. This product's primary function
is the collection of system data, which is available to both system
administrators and HP support personnel. It can also be used to monitor
day-to-day changes in the system, informing the system administrator of
any errors and configuration changes found.
The Remote Watch software is provided as a separate product with the HP
Series 300/400/700, and as a subsystem of the HP Support Watch product on
the HP 800 Series. Any system with the HP Remote Watch product installed
is vulnerable.
These vulnerabilities may allow remote as well as local users to gain root
privileges.
Exploit details involving these vulnerabilities have been made publicly
available.
AUSCERT recommends that sites take the actions suggested in Section 3
as soon as possible.
- ----------------------------------------------------------------------------
1. Description
The HP Remote Watch product is auxiliary software which is often
installed on HP-UX 9.x systems, although not part of the default
installation. Remote Watch is a separate product for HP
Series 300/400/700, and is a subsystem of the the HP Support Watch
product for HP Series 800.
Systems running HP-UX 10.x may have this package installed even
though it is not supported.
AUSCERT has been informed of a number of vulnerabilities in the Remote
Watch product involving both the daemon and its support modules. All
sites are encouraged to check their systems for this package, and if
installed, take the actions recommended in Section 3.
The default location for this product is /usr/remwatch/.
% ls -ld /usr/remwatch/
2. Impact
Local and remote users may be able to execute arbitrary commands with
root privileges. This may be leveraged to gain unauthorised root
access.
3. Workarounds/Solution
AUSCERT recommends that sites prevent exploitation of these
vulnerabilities by taking the measures given in Section 3.1
immediately.
AUSCERT has been informed that Hewlett Packard will not be releasing
patches to address these vulnerabilities. Hewlett Packard has released
a security bulletin discussing these vulnerabilities and the current
product status of the Remote Watch product. This bulletin is attached
in Appendix A.
3.1 Remove the HP Remote Watch Product
AUSCERT has been informed that these vulnerabilities can only be
removed by disabling the Remote Watch product. Therefore, sites are
advised to remove the Remote Watch product from their systems as soon
as possible. This can be accomplished by issuing the following command
as root:
# /usr/remwatch/bin/removeall
NOTE: Do not run the standard rmfn command as HP has discovered
problems with its inability to handle programs with active executables.
The administrator should also perform both of the following tasks:
1. Remove or comment out the following line from /etc/inetd.conf
rwdaemon stream tcp nowait root /usr/remwatch/bin/rwdaemon rwdaemon
2. Have inetd re-read it's configuration file by issuing the following
command:
# inetd -c
............................................................................
Appendix A
- ----------------------BEGIN HP SECURITY ADVISORY-------------------------
- -------------------------------------------------------------------------
HEWLETT-PACKARD SECURITY ADVISORY: #000039, 24 October 1996
- -------------------------------------------------------------------------
Hewlett-Packard recommends that the information in the following
Security Advisory should be acted upon as soon as possible. Hewlett-
Packard will not be liable for any consequences to any customer resulting
from customer's failure to fully implement instructions in this Security
Advisory as soon as possible.
Permission is granted for copying and circulating this advisory to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the advisory is
not edited or changed in any way, is attributed to HP, and provided such
reproduction and/or distribution is performed for non-commercial
purposes.
Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.
_______________________________________________________________________
PROBLEM: Vulnerability in HP Remote Watch in 9.X releases of HP-UX
PLATFORM: HP 9000 series 300/400/700/800s
DAMAGE: Vulnerabilities in HP Remote Watch exists allowing users to
gain additional privileges.
SOLUTION: Do not use Remote Watch.
_______________________________________________________________________
I. Remote Watch Update
A. Problem description
A recent mailing list disclosure described two vulnerabilities in
which HP Remote Watch allows unauthorized root access. The first was
via a socket connection on port 5556. The second was as a result of
using the showdisk utility, which is part of the Remote Watch product.
It has been found that HP9000 Series 300, 400, 700, and 800 systems
running only HP-UX Release 9.X have this vulnerability.
B. Fixing the problem
This vulnerability can only be eliminated from releases 9.X of HP-UX
which are using Remote Watch by disabling the entire product. The
default location for this product is /usr/remwatch/ .
Removal can be accomplished (as root) with the following:
NOTE: Do not run the standard rmfn command as HP has discovered
problems with its inability to handle programs with active executables.
Instead, run (with no options):
/usr/remwatch/bin/removeall
This runs a Remote Watch script called "unconfigure" to stop actively
running programs, then proceeds to remove all files including the
filesets.
The administrator should also perform both of the following steps:
1. Remove or comment out the following entry in /etc/inetd.conf
file:
rwdaemon stream tcp nowait root /usr/remwatch/bin/rwdaemon rwdaemon
2. Have inetd re-read its configuration file by executing at the
prompt:
inetd -c
This is the official recommendation from Hewlett-Packard Company.
C. Current product status
Remote Watch was last released from the labs in August of 1993.
In December 1994 customers were informed of pending product
obsolescence. Hewlett-Packard recommends that all customers
concerned with the security of their HP-UX systems with Remote
Watch configured on it perform the actions described herein as
soon as possible. Again, no patches will be available for any
versions of HP-UX.
Since the functionality of HP Remote Watch software has now been
replicated in other tools that handle system management more
effectively there is no longer a sufficient need for HP Remote
Watch. Most of the functionality is now provided by the Systems
Administration Manager (SAM) tool, available at no charge as part
of the HP-UX operating system, or by the HP OpenView
OperationsCenter application.
If further assistance is desired please contact your HP Support
Representative.
D. HP SupportLine
To subscribe to automatically receive future NEW HP Security
Bulletins from the HP SupportLine mail service via electronic mail,
send an email message to:
support@us.external.hp.com (no Subject is required)
Multiple instructions are allowed in the TEXT PORTION OF THE MESSAGE,
here are some basic instructions you may want to use:
To add your name to the subscription list for new security bulletins,
send the following in the TEXT PORTION OF THE MESSAGE:
subscribe security_info
To retrieve the index of all HP Security Bulletins issued to date,
send the following in the TEXT PORTION OF THE MESSAGE:
send security_info_list
To get a patch matrix of current HP-UX and BLS security patches
referenced by either Security Bulletin or Platform/OS, put the
following in the text portion of your message:
send hp-ux_patch_matrix
World Wide Web service for browsing of bulletins is available via
our URL:
http://us.external.hp.com
Choose "Support news", then under Support news,
choose "Security Bulletins"
E. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt exploit information using the security-alert PGP
key, available from your local key server, or by sending a
message with a -subject- (not body) of 'get key' (no quotes) to
security-alert@hp.com.
- ------------------------END HP SECURITY ADVISORY----------------------------
- ----------------------------------------------------------------------------
AUSCERT thanks Hewlett-Packard for supplying technical expertise used to
produce this advisory.
- ----------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
October 29 1996 Hewlett Packard released a Security Bulletin addressing
the vulnerabilities described in this advisory. This
bulletin was added in Appendix A.
New vulnerabilities in the Remote Watch Product were
publicly released, and the description in this advisory
changed accordingly.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBMobw1Ch9+71yA2DNAQF4DQP/a9AecSSr+UmqjDNN4tBH0LW2kju56ODv
YpY1Z6tW+5tlS3+5WvmSBm5n6UYuXT9z3aCbIThFQN3zBvym+geNAD99NMOi3P5w
II/x/NHHvaAgTAoKzV1Vi4MzBOYtUAMhmiMhkr/kMZIIuZbt7dHuqrHU/sVZPzlS
IcdUPdrkBkc=
=Mdjw
-----END PGP SIGNATURE-----
|