Compaq Insight Manager XE Software Security Vulnerability
Date Posted: September, 2001
Reference SSRT0758
Summary
Compaq Management Software products undergo rigorous quality assurance processes to ensure that they meet the highest possible standards for security, reliability and usability. In line with this commitment, Compaq recently uncovered a potential buffer overflow security vulnerability in its SNMP and DMI support within Compaq Insight Manager XE. This vulnerability has the potential to enable unauthorized users to execute code at an administrator level through the exploitation of a buffer overflow. Compaq has addressed this issue with version 2.1c of Compaq Insight Manager XE and the recently announced Compaq Insight Manager 7. Compaq strongly recommends that customers upgrade to version 2.1c or Compaq Insight Manager 7.
Compaq strongly recommends that management agents and Compaq Insight Manger XE be deployed only on private networks and not used on the open Internet or on systems outside the bounds of the firewall. The implementation of sound security practices, which includes disabling external access to Compaq management ports, should help protect customers from external malicious attacks. Compaq also recommends that strong password standards are used and that passwords are changed regularly.
Scope of the Problem
All versions of Compaq Insight Manager XE are affected. This issue does NOT affect Compaq Insight Manager windows console or any of the Compaq Management Agents.
What Compaq Is Doing
Compaq is currently completing the testing and release of Compaq Insight Manager v2.1c. Compaq Insight Manager v2.1c is a patch for v2.1b that addresses this issue and is available for download from: ftp://ftp.compaq.com/pub/softpaq/
SoftPaq SP 17982
The softpaq contains updated DLLs to address this issue and must be applied to Compaq Insight Manager v2.1b.
Compaq Insight Manager 7
The initial release of Compaq Insight Manager 7 will be available from the Compaq Management CD v5.3 available in November 2001.
What Customers Should Do?
How do I obtain the updated Compaq Management Software?
Updated software will be made available on the web through the system software download site (http://www.compaq.com/support/files/server/ and will also be proactively delivered directly to customers who have installed Compaq ActiveUpdate.). Compaq recommends registering for the ActiveUpdate service, which is available at the following URL: http://www.compaq.com/activeupdate.
Determine the version of Compaq Insight Manager XE that is running.
If running Compaq Insight Manager 2.1b, download SP17982 from Compaq's Web site and run SP17982.exe to apply the v2.1c update.
If running Compaq Insight Manager 2.0 or 2.1, the system must first be updated to version 2.1b. To update to Compaq Insight Manager 2.1b download SP16342 from Compaq's Web site and run SP16342.exe to update to v2.1b or obtain Compaq Insight Manager v2.1b from the Compaq Management CD v5.10 or later. After 2.1b is installed, download SP17982 from Compaq's Web site and run SP17982.exe to apply the 2.1c update.
If running Compaq Insight Manager version 1.x, the system must first be updated to version 2.1b before applying this patch.
This can be accomplished in 2 ways:
- Obtain Compaq Management CD v5.10 or later and install Compaq Insight Manager XE v2.1b from the CD.
- Download SP14413.exe from Compaq's Web site and run SP14413.exe to install Compaq Insight Manager v2.1.
Once this is installed, download SP16342 from Compaq's Web site and run SP16342.exe to update the system to v2.1b. Once this is installed, download SP17982 from Compaq's Web site and run SP17982.exe to apply the v2.1c update.
Obtaining Support on this Issue
The normal process for obtaining support on Compaq products is pursued in the country of residence. . If you do not have an established support process, you may find information about support by visiting the Compaq web site for your country. You can find that web site by picking your country from the list at http://www.compaq.com/worldwide/. You may also find a support number for your locale from the table at http://www.compaq.com/corporate/overview/world_offices.html
Support can help you to:
- Identify if you have an affected version.
- Obtain the appropriate SoftPaq when it is available.
- Apply and run the SoftPaq.
Compaq support personnel are aware of the issues and the fixes and are well versed in Compaq systems management products.
COMPAQ AND/OR ITS RESPECTIVE SUPPLIERS
MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY OF THE INFORMATION
CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS AND/OR SOFTWARE
PUBLISHED ON THIS SERVER FOR ANY PURPOSE. ALL SUCH DOCUMENTS AND
RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY
OF ANY KIND AND ARE SUBJECT TO CHANGE WITHOUT NOTICE. THE ENTIRE
RISK ARISING OUT OF THEIR USE REMAINS WITH THE RECIPIENT. IN NO
EVENT SHALL COMPAQ AND/OR ITS RESPECTIVE SUPPLIERS BE LIABLE FOR
ANY DIRECT, CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE OR OTHER
DAMAGES WHATSOEVER (INCLUDING WITHOUT LIMITATION, DAMAGES FOR LOSS
OF BUSINESS PROFITS, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS
INFORMATION), EVEN IF COMPAQ HAS BEEN ADVISED OF THE POSSIBILITY
OF SUCH DAMAGES.
