-----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory November 2nd, 1998 Hidden SNMP community in HP OpenView Synopsis: Internet Security Systems (ISS) X-Force has researched a hidden SNMP community string that exists in HP OpenView. This community may allow unauthorized access to certain SNMP variables. Attackers may use this hidden community to learn about network topology as well as modify MIB variables. Affected Versions: ISS X-Force has confirmed that this vulnerability is present in HP OpenView Version 5.02. Earlier versions are believed to be vulnerable. HP-UX 9.X and HP-UX 10.X SNMP agents are vulnerable if OpenView is installed. OpenView for Solaris 2.X is also vulnerable. OpenView for Windows NT is not vulnerable. Fix Information: HP has made the following patches available: PHSS_16800: HP-UX Version 10.X PHSS_16799: HP-UX Version 9.X PHOV_02190: Solaris Version 2.X Description: All hosts in a managed network rely on the proper delivery and collection of SNMP data. This vulnerability allows remote attackers access to portions of the MIB tree used for configuration and maintenance of the SNMP agent. Attackers may use this hidden community from remote to gain information otherwise reserved for authorized users. Attackers can also use this community to disrupt collection of data over SNMP as well as sever communication between Collection Agents and Management stations. Additional Information: ISS Internet Scanner and ISS RealSecure real-time intrusion detection software have the capability to detect these vulnerabilities. - ---------- Copyright (c) 1998 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force <xforce@iss.net> of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNj4p6DRfJiV99eG9AQHzUQQAiQuk5dH2ITvRrkUnDcbnFXpXL3cYrRr1 qI1njwegNburPEiKV14BPCRAVCcn2uWMpkd4E0ChsmMqwBspM3YoFdNqEuzhsqac pB0CoUizcltd2kZFBbeo2BcIrqSWKAxT326pf9s4Q9Pv7h+1uUlsgNYrH0YSMA7b l6bnK7VDfUI= =H2mz -----END PGP SIGNATURE-----