Preemptive Protection against HP OpenView Network Node Manager webappmon.exe execvp_nc Buffer Overflow

Vulnerability
Protection

Check Point Reference:	CPAI-2010-144
Date Published:
Preemptive Since:
Severity:
Source:	Secunia Advisory SA40686
Industry Reference(s):	CVE-2010-2703
Protection Provided by:	IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? HP OpenView Network Node Manager (OV NNM) 7.51 HP OpenView Network Node Manager (OV NNM) 7.53
Vulnerability Description A vulnerability has been reported in HP OpenView Network Node Manager (NNM). The vulnerability is due to a boundary error when processing maliciously crafted HTTP requests. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to a target server, potentially resulting in remote code execution.

Update/Patch Available Vendor's advisory.
Vulnerability Details The vulnerability is caused due to a boundary error within the "execvp_nc()" function in ov.dll when copying strings from an HTTP request using the "strcat_new()" function.

Protection Overview
The protection detects and blocks HTTP requests to certain components within the HP OpenView server with invalid argument formats.

To configure the defense, select your product from the list below and follow the related protection steps.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > Enterprise Software, and select the HP OpenView Network Node Manager protection group
3. Click HP OpenView Network Node Manager netmon.exe Stack Buffer Overflow (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: HP OpenView Network Node Manager
Description: HP OpenView Network Node Manager netmon.exe Stack Buffer Overflow

Legal Notice for Threat Center Advisories