copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
» AA-96.07 -- Vulnerabilities in HP Remote Watch Software
AA-96.07 -- Vulnerabilities in HP Remote Watch Software
Date:
29 October 1996
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AA-96.07 AUSCERT Advisory Vulnerabilities in HP Remote Watch Software 24 October 1996 Last Revised: October 29, 1996 Added HP Security bulletin in Appendix A Changed vulnerability information - ---------------------------------------------------------------------------- AUSCERT has received information that there are vulnerabilities in the Hewlett-Packard Remote Watch Software. This product's primary function is the collection of system data, which is available to both system administrators and HP support personnel. It can also be used to monitor day-to-day changes in the system, informing the system administrator of any errors and configuration changes found. The Remote Watch software is provided as a separate product with the HP Series 300/400/700, and as a subsystem of the HP Support Watch product on the HP 800 Series. Any system with the HP Remote Watch product installed is vulnerable. These vulnerabilities may allow remote as well as local users to gain root privileges. Exploit details involving these vulnerabilities have been made publicly available. AUSCERT recommends that sites take the actions suggested in Section 3 as soon as possible. - ---------------------------------------------------------------------------- 1. Description The HP Remote Watch product is auxiliary software which is often installed on HP-UX 9.x systems, although not part of the default installation. Remote Watch is a separate product for HP Series 300/400/700, and is a subsystem of the the HP Support Watch product for HP Series 800. Systems running HP-UX 10.x may have this package installed even though it is not supported. AUSCERT has been informed of a number of vulnerabilities in the Remote Watch product involving both the daemon and its support modules. All sites are encouraged to check their systems for this package, and if installed, take the actions recommended in Section 3. The default location for this product is /usr/remwatch/. % ls -ld /usr/remwatch/ 2. Impact Local and remote users may be able to execute arbitrary commands with root privileges. This may be leveraged to gain unauthorised root access. 3. Workarounds/Solution AUSCERT recommends that sites prevent exploitation of these vulnerabilities by taking the measures given in Section 3.1 immediately. AUSCERT has been informed that Hewlett Packard will not be releasing patches to address these vulnerabilities. Hewlett Packard has released a security bulletin discussing these vulnerabilities and the current product status of the Remote Watch product. This bulletin is attached in Appendix A. 3.1 Remove the HP Remote Watch Product AUSCERT has been informed that these vulnerabilities can only be removed by disabling the Remote Watch product. Therefore, sites are advised to remove the Remote Watch product from their systems as soon as possible. This can be accomplished by issuing the following command as root: # /usr/remwatch/bin/removeall NOTE: Do not run the standard rmfn command as HP has discovered problems with its inability to handle programs with active executables. The administrator should also perform both of the following tasks: 1. Remove or comment out the following line from /etc/inetd.conf rwdaemon stream tcp nowait root /usr/remwatch/bin/rwdaemon rwdaemon 2. Have inetd re-read it's configuration file by issuing the following command: # inetd -c ............................................................................ Appendix A - ----------------------BEGIN HP SECURITY ADVISORY------------------------- - ------------------------------------------------------------------------- HEWLETT-PACKARD SECURITY ADVISORY: #000039, 24 October 1996 - ------------------------------------------------------------------------- Hewlett-Packard recommends that the information in the following Security Advisory should be acted upon as soon as possible. Hewlett- Packard will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Advisory as soon as possible. Permission is granted for copying and circulating this advisory to Hewlett-Packard (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the advisory is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. HP is not liable for any misuse of this information by any third party. _______________________________________________________________________ PROBLEM: Vulnerability in HP Remote Watch in 9.X releases of HP-UX PLATFORM: HP 9000 series 300/400/700/800s DAMAGE: Vulnerabilities in HP Remote Watch exists allowing users to gain additional privileges. SOLUTION: Do not use Remote Watch. _______________________________________________________________________ I. Remote Watch Update A. Problem description A recent mailing list disclosure described two vulnerabilities in which HP Remote Watch allows unauthorized root access. The first was via a socket connection on port 5556. The second was as a result of using the showdisk utility, which is part of the Remote Watch product. It has been found that HP9000 Series 300, 400, 700, and 800 systems running only HP-UX Release 9.X have this vulnerability. B. Fixing the problem This vulnerability can only be eliminated from releases 9.X of HP-UX which are using Remote Watch by disabling the entire product. The default location for this product is /usr/remwatch/ . Removal can be accomplished (as root) with the following: NOTE: Do not run the standard rmfn command as HP has discovered problems with its inability to handle programs with active executables. Instead, run (with no options): /usr/remwatch/bin/removeall This runs a Remote Watch script called "unconfigure" to stop actively running programs, then proceeds to remove all files including the filesets. The administrator should also perform both of the following steps: 1. Remove or comment out the following entry in /etc/inetd.conf file: rwdaemon stream tcp nowait root /usr/remwatch/bin/rwdaemon rwdaemon 2. Have inetd re-read its configuration file by executing at the prompt: inetd -c This is the official recommendation from Hewlett-Packard Company. C. Current product status Remote Watch was last released from the labs in August of 1993. In December 1994 customers were informed of pending product obsolescence. Hewlett-Packard recommends that all customers concerned with the security of their HP-UX systems with Remote Watch configured on it perform the actions described herein as soon as possible. Again, no patches will be available for any versions of HP-UX. Since the functionality of HP Remote Watch software has now been replicated in other tools that handle system management more effectively there is no longer a sufficient need for HP Remote Watch. Most of the functionality is now provided by the Systems Administration Manager (SAM) tool, available at no charge as part of the HP-UX operating system, or by the HP OpenView OperationsCenter application. If further assistance is desired please contact your HP Support Representative. D. HP SupportLine To subscribe to automatically receive future NEW HP Security Bulletins from the HP SupportLine mail service via electronic mail, send an email message to: support@us.external.hp.com (no Subject is required) Multiple instructions are allowed in the TEXT PORTION OF THE MESSAGE, here are some basic instructions you may want to use: To add your name to the subscription list for new security bulletins, send the following in the TEXT PORTION OF THE MESSAGE: subscribe security_info To retrieve the index of all HP Security Bulletins issued to date, send the following in the TEXT PORTION OF THE MESSAGE: send security_info_list To get a patch matrix of current HP-UX and BLS security patches referenced by either Security Bulletin or Platform/OS, put the following in the text portion of your message: send hp-ux_patch_matrix World Wide Web service for browsing of bulletins is available via our URL: http://us.external.hp.com Choose "Support news", then under Support news, choose "Security Bulletins" E. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. - ------------------------END HP SECURITY ADVISORY---------------------------- - ---------------------------------------------------------------------------- AUSCERT thanks Hewlett-Packard for supplying technical expertise used to produce this advisory. - ---------------------------------------------------------------------------- The AUSCERT team have made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AUSCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au/. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team c/- Prentice Centre The University of Queensland Brisbane Qld. 4072. AUSTRALIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History October 29 1996 Hewlett Packard released a Security Bulletin addressing the vulnerabilities described in this advisory. This bulletin was added in Appendix A. New vulnerabilities in the Remote Watch Product were publicly released, and the description in this advisory changed accordingly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBMobw1Ch9+71yA2DNAQF4DQP/a9AecSSr+UmqjDNN4tBH0LW2kju56ODv YpY1Z6tW+5tlS3+5WvmSBm5n6UYuXT9z3aCbIThFQN3zBvym+geNAD99NMOi3P5w II/x/NHHvaAgTAoKzV1Vi4MzBOYtUAMhmiMhkr/kMZIIuZbt7dHuqrHU/sVZPzlS IcdUPdrkBkc= =Mdjw -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=1&it=1860