Hewlett Packard Co. issued an advisory Monday warning customers of several new flaws in its OpenView Network Node Manager, used to map a company's physical network infrastructure remotely to adjust availability and performance.
HP said the vulnerabilities could open the network to attackers, allowing them to remotely execute arbitrary code and gain access to sensitive information. The flaws affect OpenView Network Node Manager v7.01, v7.51, v7.53 running on HP-UX, Linux, Solaris and Windows. To exploit the errors attackers can send malicious HTTP requests to HP OpenView's Web server component, HP said in its advisory.
The flaws were discovered by Oren Isacson of Core Security Technologies Inc. It's the second time in two months that HP has issued an update to correct errors in the software. Core's Isacson reviewed flaws addressed by HP in February and discovered two new holes as well as a third flaw that was exploitable despite HP's patch. Core said the flaw could affect millions of organizations using HP's OpenView systems and network management software.
The software contains an error discovered by Danish vulnerability clearinghouse Secunia that could be exploited to cause a buffer overflow condition. In addition, Core said it discovered two heap-based buffer overflows.
HP released archive files to repair the vulnerabilities.