Critical vulnerabilities have been found in HP's OpenView product, which could potentially affect millions of organisations currently using the systems and network management software.

According to an advisory from Core Security Technologies, an engineer at its research arm (CoreLabs) discovered the problem while investigating the feasibility of exploiting a set of previously disclosed vulnerabilities in HP OpenView Network Node Manager (NNM) by researchers at Secunia.

HP OpenView NNM is widely used by network managers to monitor physical networks, virtual network services and the relationships between those assets, across the enterprise. Specifically, NNM helps administrators identify, diagnose and predict potential problems before they affect network performance and availability.

HP believed it had addressed Secunia vulnerabilities in a subsequent security advisory (c01661610), but CoreLabs researchers discovered two additional, unreported buffer overflow vulnerabilities in the product, and immediately alerted HP's Software Security Response Team.

Core's researchers also found during their reviews that one of the previously reported buffer overflow issues in OpenView NNM could still be exploited, even when HP's security patch designed to fix the problem was applied.

Specifically, CoreLabs found that OpenView NNM versions 7.51 and 7.53, and version 7.53 with the HP security patch applied, all contained the three reported vulnerabilities. CoreLabs concluded that the two heap-based buffer overflows reported "were newly discovered vulnerabilities because the issues were not fixed with the latest security patch and were not mentioned in any existing advisories published by HP."

In the case of the third OpenView NNM vulnerability, which was first reported by Secunia and was addressed by HP in its advisory, CoreLabs researchers found that they were still able to successfully exploit the issue and create proof of concept code for doing so, even with the latest patch in place.

"We discovered additional ways to use existing flaws," said Fred Pinkett, VP of product management at Core Security. "In addition, we discovered a new flaw to take over the management console (NNM)."

Successful exploitation of the vulnerabilities requires that attackers send specially crafted HTTP requests to HP OpenView's web server component to execute arbitrary code on the target system.

"They (HP) took it fairly seriously," Pinkett told Techworld. "If you look at timeframe, their initial reaction was "we thought it was fixed, can you prove it to us?" We demo'ed the flaws to them and they then accepted it and from then on worked with us to fix it."

On 7 January, Secunia published its advisory about HP OpenView NNM. HP then released a patch on 20 January, but Core notified HP of the flaws on 22 January. A week later on 28 January, HP told Core that the vulnerability couldn't exist when patch was installed and asked for confirmation. Core demonstrated the problem to HP on 29 January and HP admitted the flaw. It subsequently published its patch on Monday 23 March.

"HP's response was fairly typical," Pinkett said. "It was the 'we already fixed it' response, which is natural reaction so I can understand it. But they came around quickly when we demonstrated the problem to them."

"The concern from our viewpoint is that a flaw was found in the security console, and one of the lessons must be to take extra care with this type of software." Pinkett agreed that if a hacker could over the machine running the management console, the potential could have been fairly catastrophic.

HP did not respond to an interview request at the time of writing.