Hello Everyone.
NetView for UNIX 6.0.2 on AIX 4.3.3 w/ ML 4 applied.
Have any of you had experience with ovactiond security alert posted by CERT?
Supposedly NetView has posted a fix for it.
See APAR IY21527. Here's an excerpt from the advisory.
There is a potential security exposure whereby an unauthorized user
could gain root or superuser access to a NetView server by generating
and sending an SNMP trap containing an imbedded UNIX command from either
internally or externally to the NetView server.
Tivoli NetView includes a daemon, ovactiond, which performs automation
based on appropriately customized SNMP trap definitions. Under certain
circumstances it is possible for an unauthorized individual to execute
malicious commands by sending a trap containing commands as legitimate
data. The command will run with the privileges of ovactiond, typically
init, root, or bin. It is therefore possible for a malicious user to
exploit this feature to gain root access.
The security exposure only comes into play if an authorized user at some
point configures additional actions for a trap defined in NetView's
configuration and uses a trap variable in the configuration. Varbinds
(variable components of trap data) of types string and opaque, from
within a trap and matching trap definition, if containing appropriately
enveloped Unix commands and using Unix command substitution, can be
exploited to breech the security of the NetView server.
The exposure does not exist in SNMP trap definitions in the product as
it is shipped but can occur after trap customization by the NetView
administrator or anyone with root authority on the NetView system.
Legitimately customized or other added trap definitions could be
exploited, so a review of such trap definitions for exposures is
warranted.
Thanks.
|