OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Martin O'Neal (BugTraqcorsaire.com)
Date: Thu May 10 2001 - 04:25:29 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -- Corsaire Limited Security Advisory --

    Title: Symantec/Axent NetProwler 3.5.x password restrictions
    Date: 17.03.01
    Application: Symantec/Axent NetProwler 3.5.x
    Environment: WinNT
    Author: Martin O'Neal [martin.onealcorsaire.com]
    Audience: General distribution

    -- Scope --

    The aim of this document is to clearly define some potentially unsound
    password practises within the NetProwler application environment as
    provided by Symantec/Axent [1].

    -- History --

    Vendor notified: 21.03.01
    Document released: 09.05.01

    -- Overview --

    The latest version of the NetProwler intrusion detection product comes as
    a three-tiered architecture, consisting of agents, a management component,
    and a console. Access between the components is achieved via channels that
    are protected by passwords, which have several weak defaults and unnecessary
    restrictions.

    -- Analysis --

    The default password chosen to restrict access to the management tier is
    "admin", which apart from being weak, is not required to be changed during
    the install process (the documentation does recommend changing this, but in
    the real world this might potentially be overlooked).

    The password entered into the agent tier must be within 8-16 characters
    long, and does not seem to be restricted as to which keyboard characters are
    entered. The manager component needs to connect to the agent as part of its
    normal operation, and to achieve this, the agent password must be entered.
    However, the manager interface unnecessarily restricts the use of the
    |"\':*?<> characters, reducing the potential keyspace available and making
    the task of brute forcing passwords easier.

    The management component itself is connected to a local MySQL database via
    ODBC. The passwords for these connections are by default blank (again, the
    documentation does recommend changing this, but in the real world this might
    potentially be overlooked).

    -- Recommendations --

    As many of us have seen in the flesh, installations are often carried out
    with default values. Sometimes with the intention of going back and doing it
    'properly' when the opportunity arises (though this might not happen for
    some time, if ever).

    Manufacturers can help this situation by enforcing good security practise at
    installation time. Requiring strong passwords, and selecting good default
    values for critical metrics.

    In this particular circumstance; follow the recommendations in the
    documentation and change the passwords!

    -- References --

    [1] http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=
        50&PID=3061537

    -- Revision --

    Initial release.

    Copyright 2001 Corsaire Limited. All rights reserved.

    ----------------------------------------------------------------------
    CONFIDENTIALITY: This e-mail and any files transmitted with it are
    confidential and intended solely for the use of the recipient(s) only.
    Any review, retransmission, dissemination or other use of, or taking
    any action in reliance upon this information by persons or entities
    other than the intended recipient(s) is prohibited. If you have
    received this e-mail in error please notify the sender immediately
    and destroy the material whether stored on a computer or otherwise.
    ----------------------------------------------------------------------
    DISCLAIMER: Any views or opinions presented within this e-mail are
    solely those of the author and do not necessarily represent those
    of Corsaire Limited, unless otherwise specifically stated.
    ----------------------------------------------------------------------

    Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey GU23 7EF
    Telephone:+44(0)1483-226000 Email:infocorsaire.com