Critical HP OpenView flaws discovered

A security firm has warned it has discovered critical flaws in HP's OpenView Network Node Manager (NNM) that could be used to compromise mission-critical servers within an organisation using the software.

The warning has been given a high priority by Core Security Technologies, after engineers from its research arm CoreLabs determined that a trio of vulnerabilities in OpenView's NNM could be exploited remotely via buffer overflows.

It said attackers would need to send specially crafted HTTP requests to HP OpenView's web server component to execute arbitrary code on the target system.

HP OpenView NNM provides remote network system event and performance monitoring. CoreLabs discovered the three new flaws while investigating an HP-issued security patch meant to address other flaws previously reported by security firm Secunia.

The Core research lab issued an advisory and alerted HP's Software Security Response Team, so a patch could be created and made available to protect users of the programme against potential exploits.

It said it was important that enterprises running NNM patched their systems immediately, particularly as it is one of the most widely deployed remote network management technologies used throughout enterprise IT organisations today.

Ivan Arce, chief technology officer at Core Security, said: "While remote network management technologies offer substantial value in terms of allowing organisations to maintain constant vigilance and control over their networks, the flipside is that attackers can potentially use available vulnerabilities in these systems to wreak havoc on internal infrastructure."

Arce was also critical of the lack of technical information made available by both software and vulnerability research vendors about the specifics of vulnerabilities in their security advisories, given that Core had to disentangle undiscovered flaws from those already flagged by Secunia and patched by HP.

"Many bulletins and publications only generate additional confusion among researchers who are attempting to dig deeper into the reported problems in order to assess risk more precisely," said Arce. "This has become a consistent, systematic problem that makes it very hard for subsequent researchers to differentiate one bug from another using data from publicly available security advisories."

Miya Knights

A 25-year veteran enterprise technology expert, Miya Knights applies her deep understanding of technology gained through her journalism career to both her role as a consultant and as director at Retail Technology Magazine, which she helped shape over the past 17 years. Miya was educated at Oxford University, earning a master’s degree in English.

Her role as a journalist has seen her write for many of the leading technology publishers in the UK such as ITPro, TechWeekEurope, CIO UK, Computer Weekly, and also a number of national newspapers including The Times, Independent, and Financial Times.