I received this notice the other day. Is this something that needs to been
done ASAP or is there more coming on this? Has anyone had this problem?
This is to notify you of a potential security exposure in the Tivoli
NetView Distributed product and the Tivoli e-fix that is available to
correct this exposure.
There is a potential security exposure whereby an unauthorized user
could gain root or superuser access to a NetView server by generating
and sending an SNMP trap containing an imbedded UNIX command from either
internally or externally to the NetView server.
Tivoli NetView includes a daemon, ovactiond, which performs automation
based on appropriately customized SNMP trap definitions. Under certain
circumstances it is possible for an unauthorized individual to execute
malicious commands by sending a trap containing commands as legitimate
data. The command will run with the privileges of ovactiond, typically
init, root, or bin. It is therefore possible for a malicious user to
exploit this feature to gain root access.
The security exposure only comes into play if an authorized user at some
point configures additional actions for a trap defined in NetView's
configuration and uses a trap variable in the configuration. Varbinds
(variable components of trap data) of types string and opaque, from
within a trap and matching trap definition, if containing appropriately
enveloped Unix commands and using Unix command substitution, can be
exploited to breech the security of the NetView server.
The exposure does not exist in SNMP trap definitions in the product as
it is shipped but can occur after trap customization by the NetView
administrator or anyone with root authority on the NetView system.
Legitimately customized or other added trap definitions could be
exploited, so a review of such trap definitions for exposures is
warranted.
To avoid any possible exploit of this issue, we suggest that you apply
an e-fix, available starting August 8th, 2001 on the Tivoli Support web
site at http://www.tivoli.com/support/downloads/
<http://www.tivoli.com/support/downloads/> Reference the following
APAR number: IY21527. We also suggest that access to NetView trap
definitions be carefully controlled.
The Tivoli NetView support team is ready to help you better understand
this issue if necessary.
Thanks,
Frank J. Ardino III
Sr. Network Management Technical Consultant
CIGNA Corp.
Enterprise Systems Management
856.346.5844
frank.ardino@cigna.com
------------------------------------------------------------------------------
CONFIDENTIALITY NOTICE: If you have received this e-mail in error, please
immediately notify the sender by e-mail at the address shown. This e-mail
transmission may contain confidential information. This information is
intended only for the use of the individual(s) or entity to whom it is intended
even if addressed incorrectly. Please delete it from your files if you are not
the intended recipient. Thank you for your compliance.
|