Compaq Security Advisory
Posted: June 8, 1999
Compaq Management Agent Security Vulnerability
Summary
As part of an ongoing concern about security and Internet technology, Compaq has identified a potential security vulnerability in the web-enabled portion of Compaq Management Agents and the Compaq Survey Utility when installed as an agent. This security issue can allow read access to files whose location and filename are known or be used to terminate the process controlling the web agents.
The Compaq Management Agents may or may not be pre-installed on a specific platform. Compaq customers of the Deskpro desktop PCs and Armada portable PCs have not received the agent pre-installed. Customers of these products should not be concerned unless they have downloaded an affected web agent from the WWW site or Support Software CD and installed the agent on their Deskpro or Armada. In any event, Compaq encourages all customers to verify that the affected agents are not being used in their environments.
This affects the web component of Compaq Management Agents version 4.0 and greater (except for the 3.7 Deskpro agent) and the Compaq Survey Utility version 2.0 and greater when installed as an agent. SNMP and DMI components without the web capability enabled are not affected.
Issue
The web component of Compaq Management Agents version 4.0 and greater and Compaq Survey Utility 2.0 and greater provide HTTP services to allow management information to be accessible through a web browser. Compaq has always advocated that these agents and utilities be deployed only in private networks and were not for use on the Internet or systems outside the bounds of a firewall. Because of this, Compaq believes that the primary threat is an internal one.
These agents have been discovered to be vulnerable to a file read security hole which allows files whose location and name are known to be read on the file system on which the agents are installed and an overflow security hole that potentially terminates the web agent process. In some cases with Novell NetWare it has caused the server to stop responding.
Affected Software Versions
This affects the web component of all Compaq Management Agents 4.0 and greater running with Windows NT, Windows 9x, Windows 2000, NetWare and Tru64 Unix. Additionally affected is the Compaq Survey Utility 2.0 and greater when installed as an agent on Windows NT or NetWare. Agent software affected includes those installed on ProLiant and Prosignia servers (since May, 1998), AlphaServers with Windows NT (since October, 1998), AlphaServers with Tru64 Unix (since May, 1999), DIGITAL Intel Servers (since October, 1998) and other systems with the web-enabled agents installed. A complete matrix can be found at the end of this document. Compaq Management Agents for SCO Unix, UnixWare and OpenServer, IBM OS/2 and Compaq OpenVMS are not affected in any way.
What Compaq is doing
Compaq is actively pursuing the testing and release of a software fix to the problem. This will be initially released as a new version 4.23b of the Server Management Agents and a new version 2.18 of the Survey Utility. A SoftPAQ with the Client Management Agent 4.2B will be issued with the fix.
Additionally, patches for the Server Management Agents version 4.0-4.23 and the Survey Utility 2.0-2.17 will be released separately so that customers not wishing to upgrade their system to the latest version can address the issue.
AlphaServers with Compaq Tru64 Unix 4.0F will be able to apply a patch with the name tru64Uv40f_insight_upd06991. A new agent will not be released for AlphaServers with Windows NT and DIGITAL Intel Servers; rather a patch to the agent will be posted.
All software will be posted as a SoftPAQ to the Compaq Web site and will be able to be found from the main Systems Management page at www.compaq.com/sysmanage
Softpaqs are currently available for:
Patches will be made available soon for:
- AlphaServers running Windows NT
- DIGITAL Intel servers
- Professional Workstation management agents
- Armada management agents
What Customers Should Do
Determine if you are running the affected software. There are two methods suggested.
One way is to point a web browser at the system you suspect and keying in http://[IP_ADDRESS]:2301 or http://[machine_name]:2301. This will bring up the device home page for the server if it is running the web-enabled agents. You can refer to the "Version/Platform/Operating System Matrix" table at the end of this document to see if you have a version that needs attention.
If you are using the Compaq Insight Manager Win32 console, you can additionally get a list of systems running the web agents by starting Compaq Insight Manager and selecting the "Web Device List" button on the toolbar. This will display a list of systems being managed by Compaq Insight Manager and additionally will have underlined as hyperlinks the systems on which the web agents are present and enabled. To print out a list of only the web devices select the "Web Devices" hyperlink in the left column and only web devices will be shown. Simply print this page out from your browser. (Note: This list, while helpful, may not be an exhaustive list of the systems with web agents on your network-it represents only systems that are under management either explicitly or by being discovered.)
Fixes have been identified for both issues and are currently undergoing testing and verification. Compaq recommends that as soon as they are released you apply the appropriate SoftPAQ, Compaq's method of releasing software and firmware.
If for any reason you cannot wait until the fix is released, Compaq recommends that you temporarily disable the web component of the agents on any vulnerable systems. The procedure is very simple and is below in a section titled "Disabling the Web-Enabled Agents".
Additional security procedures would suggest checking that you have disallowed access to any unnecessary IP port on your firewall or proxy protecting your corporate network from the Internet. This includes port 2301 (device management port) and port 280 (Compaq Insight Manager XE port) and is part of a sound security policy for your network.
We recommend registering for Compaq InfoMessenger (www.compaq.com/infomessenger) and adding a Systems Management Products profile. This will update you via an optional email and a personalized home page of any new postings to the Systems Management section of compaq.com.
Obtaining Support on this Issue
Your normal process for obtaining support on Compaq products should be pursued for the country that you are in. If you do not have an already established support process, you may find information about support by visiting the Compaq Web site for your country. You can find that Web site by picking your country from the list at http://www.compaq.com/worldwide/.
You may also find a support number for your locale from the table at http://www.compaq.com/corporate/overview/world_offices.html. Support issues should be limited to:
- Identifying if you have an affected release.
- Obtaining the appropriate SoftPAQ when it is available.
- Applying and running the SoftPAQ.
Compaq support personnel are aware of the issues and the fixes and are well versed in our systems management products.
More Information
The most up-to-date information will be posted as it becomes available on the Compaq World Wide Web at www.compaq.com/sysmanage that will take you directly to the Systems Management section. Compaq also recommends the following resources regarding security:
Compaq Enterprise Security Framework White Paper
Virtual Private Network Solutions
Security
Version/Platform/Operating System Matrix
| Agent/Utility |
Platform |
Operating System |
Agent Version Affected |
Agent Version Fixed |
| Compaq Server Management Agents |
ProLiant and Prosignia servers |
Windows NT |
4.23, 4.22, 4.21, 4.20c, 4.20b, 4.20a, 4.1, 4.01, 4.0 |
4.23b |
| NetWare |
4.23, 4.21, 4.20b, 4.20, 4.10, 4.01 |
4.23b |
| AlphaServers |
Windows NT |
4.0 |
4.0 (with patch) |
| Tru64 Unix |
(included in OS versions 4.0F and later) |
Patched with im_upd06991.tar.Z |
| DIGITAL Prioris (Intel) Servers |
Windows NT & NetWare |
4.0 |
4.0 (with patch) |
| Compaq Survey Utility (when installed as an agent) |
ProLiant and Prosignia servers |
Windows NT |
2.17, 2.16, 2.14, 2.12, 2.1, 2.08, 2.06, 2.04, 2.02, 2.0 |
2.18 |
| NetWare |
2.17, 2.16, 2.14, 2.12, 2.1, 2.08, 2.06, 2.04, 2.02, 2.0 |
2.18 |
| Compaq Intelligent Cluster Administrator |
Compaq Cluster Kits |
Microsoft Cluster Server (Windows NT) |
1.0 |
1.0 (with patch) |
| Compaq Client Management Agents |
Deskpro, Armada and Professional Workstations AP200 and SP700 |
Windows NT Workstation, Windows 9x |
3.70 or later |
4.20B |
| Compaq Management Agents for Workstations |
Professional Workstations AP200., AP400, AP500, SP700 |
Windows NT |
4.20A |
4.20B |
| Compaq Insight Management Agents |
Professional Workstations AP200, AP400, AP500, SP700 |
Windows NT |
4.30A |
4.30B |
| Compaq Insight Management Agents |
Professional Workstations 5000, 5100, AP400 |
Windows NT |
4.21A |
4.21A (with patch) |
| Compaq Insight Management Agents |
Professional Workstations 5000, 5100, 6000, 8000, AP400 |
Windows NT |
4.22A |
4.22A (with patch) |
Disabling the Web-Enabled Agents
If you are unable to wait for the fix to become available, you can use the following procedures to disable the web component of the agents. It is not necessary in most cases to disable the entire agent, only the web component.
Windows NT Server
Web-Based Management is enabled, by default, when you install the Compaq Server Management Agents for Windows NT. Perform the following steps to disable Web-Based Management. (Note: if you disable the web-enabled Compaq Server Management Agent, then you will not be able to view Windows NT Operating System Parameters that became a feature with the 4.22 agents.)
- From the START menu, select SETTINGS, the CONTROL PANEL.
- From the CONTROL PANEL, select and run the SERVICES applet.
- Select INSIGHT WEB AGENT from the list of services.
- If it is running, click the button marked STOP
- To prevent it from automatically starting again, click STARTUP and then select MANUAL.
- Click OK.
- Click CLOSE.
This will stop the agent and prevent them from starting automatically. Normal management via SNMP is still possible.
NetWare Server
If you selected to enable Web-Based Management when you installed the Server Agents for NetWare, and later would like to disable it, perform the following steps from the NetWare server console:
- LOAD CPQAGIN
- Select the option "Configure Existing NetWare Agents"
- Select the line that mentions the load of CPQWEBAG and select NO
- Save changes and exit out of CPQAGIN.
This prevents the web-enabled agents from loading. Normal SNMP management is still possible.
Uninstalling Web-enabled Desktop Agent from a Windows 9x/NT system
- From the START menu, select SETTINGS, then CONTROL PANEL.
- From the CONTROL PANEL, select ADD/REMOVE PROGRAMS
- In the INSTALL/UNINSTALL tab, select "Compaq Insight Management Web Agent"
- Click ADD/REMOVE button to remove the agent.
Uninstalling Web-enabled Agent from Tru64 UNIX
The following procedure must be performed when the system is up and running:
- Login as root
- Enter the following command at the '#' prompt: /sbin/init.d/insightd stop
COMPAQ AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS AND/OR SOFTWARE PUBLISHED ON THIS SERVER FOR ANY PURPOSE. ALL SUCH DOCUMENTS AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND AND ARE SUBJECT TO CHANGE WITHOUT NOTICE. THE ENTIRE RISK ARISING OUT OF THEIR USE REMAINS WITH THE RECIPIENT. IN NO EVENT SHALL COMPAQ AND/OR ITS RESPECTIVE SUPPLIERS BE LIABLE FOR ANY DIRECT, CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE OR OTHER DAMAGES WHATSOEVER (INCLUDING WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION), EVEN IF COMPAQ HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
