Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection against HP OpenView Network Node Manager snmpviewer.exe Host Header Buffer Overflow

Subscribe

Check Point Reference: CPAI-2009-310
Date Published:
Preemptive Since:
Severity:
Source: Secunia Advisory:  SA37665
Industry Reference(s): CVE-2009-4180
Protection Provided by: Security Gateway
  • R70
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
HP OpenView Network Node Manager (OV NNM) 7.01
HP OpenView Network Node Manager (OV NNM) 7.51
HP OpenView Network Node Manager (OV NNM) 7.53
Vulnerability Description
A buffer overflow vulnerability exists in the HP OpenView Network Node Manager (NNM) CGI program snmpviewer.exe. The vulnerability is due to a boundary error when processing the Host header from HTTP requests. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to a target server, potentially causing arbitrary code injection and execution. 
Update/Patch Available
HP has released an advisory addressing this vulnerability:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877
Vulnerability Details
HP OpenView Network Node Manager (NNM) supplies several CGI applications to provide management interface of the NNM server. The vulnerability is caused by insufficient boundary checking when handling the Host HTTP header.

Protection Overview

Security Gateway R70 and IPS-1 will detect and block HTTP requests with host headers that are longer than 128 bytes. No update is required to address this vulnerability.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?

1. In the IPS tab, click Protections > By ProtocolWeb Intelligence > HTTP Protocol Inspection > HTTP Format Sizes. 
2. In the HTTP Format Sizes window under Main Action change the Override IPS Policy with Inactive to Prevent.
3. In the Additional Settings pane, under Specific Length Settings, click Add; the Header Length Settings window opens.
4. In the Header Length Settings window, enter the following:
Header Name: Host
Header Max Length: 128 and click OK.
5. Install policy on all modules.

How Do I Know if My Network is Under Attack?
Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?

1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Web Intelligence > WWW 2, and select the Strict Compliance protection group.
3. Click Host: HTTP request line too long (IPS-1 NGX R65 only).
4. Update the value 'Maximum length of the Host: value in an HTTP request's headers' to 128 (the default is 255).
5. In the configuration pane, under Settings, check Active.
6. Click on Install Policy.

How Do I Know if My Network is Under Attack?

Upon attack, the following entries will be logged:

Alert Name: HTTP Compliance
Description: Host: HTTP request line too long