search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Compaq Insight Manager XE buffer overflow in SNMP and DMI functionality

Vulnerability Note VU#908611

Original Release Date: 2001-11-19 | Last Revised: 2001-11-19

Overview

The Compaq web-enabled management software contains a buffer overflow in the SNMP and DMI functionality. Remote intruders may be able to execute arbitrary code with privileges on affected systems. All versions of Compaq Insight Manager XE are affected, but Compaq Insight Manager windows console and Compaq Managment agents are not affected.

Description

There is a buffer overflow in the SNMP and DMI functionality of the Compaq Insight Manager XE product.

Compaq has produced a security advisory describing this problem at

http://www.compaq.com/products/servers/management/mgtsw-advisory.html

Impact

A remote attacker may be able to execute arbitrary code with privileges on systems running the vulnerable software.

Solution

Apply a Patch


Apply a patch from your vendor. Information about patches to correct this problem is available in the Compaq security advisory. Compaq security advisory SSRT0766 provides information about the patches.

Disable the Web-Enabled Management Software

You can prevent this vulnerability from being exploited by disabling the web-enabled management software.

Block Ports 2301 and 280 at Your Perimeter

Port 2301 (the device management port) is the port used to access the vulnerable code. Blocking access to this port from untrusted sources may reduce the risk of exploitation. You may also wish to block port 280 (the Compaq Insight Manager XE port).

Vendor Information

908611
 

Compaq Computer Corporation Affected

Updated:  November 19, 2001

Status

Affected

Vendor Statement

A security advisory describing this issue is available from Compaq at:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has archived a PGP signed copy of the Compaq security advisory below.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

The CERT/CC thanks Compaq for their advisory on this topic.

This document was written by Cory F. Cohen.

Other Information

CVE IDs: None
Severity Metric: 7.48
Date Public: 2001-10-30
Date First Published: 2001-11-19
Date Last Updated: 2001-11-19 20:45 UTC
Document Revision: 11

Sponsored by CISA.