<<< Date Index >>>     <<< Thread Index >>>

Re: Default username/password pairs in ON Command CCM 5.x database backend, Sep 20 2004 2:24PM



Reference: 
http://www.securityfocus.com/archive/1/375760/2004-09-19/2004-09-25/0
On Sep 20 2004, Jonas Olsson posted:

Security advisory
=================
Advisory name: Default username/password pairs in ON Command CCM 5.x
                        database backend
Release date:  2004-09-20
Application:   ON Command CCM 5.x
Platform:      Linux, Solaris, Windows
Severity:      An intruder can gain access to all administrator
                        passwords and other sensitive data for managed 
systems
Author:        Jonas Olsson <jonas takeit se>


Summary
-------
Four default username/password pairs are present in the Sybase
database backend used by ON Command CCM 5.x servers. One of the
username/password pairs is publicly available in a knowledgebase
article at ON Technology's web site.

The database accounts can be used to read and modify all data in the
CCM database. The database contains among other things usernames and
passwords for administrative accounts for all managed workstations and
servers. In a default CCM installation the Sybase database server is
reachable from the network on the standard Sybase database port.

Two of the database account passwords are extremely easy to guess.


Vendor information
------------------
---------------------------------------snip-----------------------------

Symantec Product Security Response:

Symantec Security Advisory

SYM04-014

29 September, 2004 

Symantec ON Command CCM/ON iCommand Default Passwords Can Provide 
Unauthorized 
Access

Revision History
None 

Risk Impact
High (heavily dependent on environment)

Overview
Symantec resolved an unencrypted default password issue reported in 
Symantec's ON Command CCM 
and ON iCommand configuration servers. A malicious user who has privileged 
local access to the system 
that hosts the server can potentially gain access to administrative 
information and sensitive 
management/configuration data.  An unauthorized user who has remote access 
to the network could 
potentially gather administrative information that could be leveraged for 
additional system access to the 
server and potentially to other systems being managed.

Affected Components
Symantec ON Command CCM 5.4.x (Windows, Solaris, HP-UX, Linux)
Symantec ON iCommand 3.0.x (Windows)

Details
A posting,  to the SecurityFocus bugtraq list identified an issue with 
unencrypted default database account 
information that is accessible on the Symantec ON Command CCM and Symantec 
ON iCommand 
software management solutions.  Administrative access and database 
management information is 
provided by default on the management server.  A user with privileged 
local access to the system that 
hosts the management server could gain administrative access to the 
database and gather sensitive data 
concerning the systems that are being managed from that host.  An 
unauthorized user with network 
access could potentially capture the login system calls from the server 
and leverage additional 
unauthorized access to the management server database.  Unauthorized 
access could allow the attacker 
to collect additional sensitive information or to alter configuration 
information on managed systems.

Symantec Response
Symantec confirmed the issues reported by Jonas Olsson above and has 
developed solutions to resolve them. 

Symantec has released a patch for all affected products that removes any 
default passwords and 
provides strong administrative password management including change 
control and encryption. 

Symantec strongly recommends that customers apply the appropriate patch 
for their affected product 
versions immediately to protect against these types of threats. 

Product patches are available on the Symantec Enterprise Support site 
http://www.symantec.com/techsupp.

Symantec is not aware of any active attempts against or organizations 
impacted by the issues. 

Mitigation
While this has potential to be a serious vulnerability, there are 
mitigating circumstances that greatly 
reduce the risk of intentional exploitation attempts
To gain local access to the server information, a user must have a user 
account on the targeted 
system and be logged on interactively 
The server's default database port can be firewalled locally on the 
Symantec ON Command CCM 
server, denying access to network requests 
Access to management servers should normally be restricted to trusted 
Administrators only with 
restricted access to the physical systems. 

CVE
CVE candidate numbers are being requested from The Common Vulnerabilities 
and Exposures (CVE) 
initiative.  This advisory will be revised as required once CVE candidate 
numbers have been assigned.
This issue is a candidate for inclusion in the CVE list 
(http://cve.mitre.org), which standardizes names for 
security problems.

Symantec Product Security Contact:
Symantec takes the security and proper functionality of its products very 
seriously.  As founding members 
in the Organization for Internet Safety, Symantec follows the process of 
responsible disclosure. 
Symantec also subscribes to the vulnerability guidelines outlined by the 
National Infrastructure Advisory 
Council (NIAC).  Please contact secure@xxxxxxxxxxxx if you feel you have 
discovered a potential or 
actual security issue with a Symantec product.

Symantec strongly recommends using encrypted email for reporting 
vulnerability information to 
secure@xxxxxxxxxxxxx  The Symantec Product Security PGP key can be 
obtained here.

Symantec's formal  Product Security Advisory for this issue can be found 
online at 
http://securityresponse.symantec.com/avcenter/security/SymantecAdvisories.html

--------------------------------------------------------------------------------

Copyright (c) 2004 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as 
it is not edited in any way unless 
authorized by Symantec Product Security. Reprinting the whole or parts of 
this alert in any medium other 
than electronically requires permission from secure@xxxxxxxxxxxxx

Disclaimer
The information in the advisory is believed to be accurate at the time of 
publishing based on currently 
available information. Use of the information constitutes acceptance for 
use in an AS IS condition. There 
are no warranties with regard to this information. Neither the author nor 
the publisher accepts any liability 
for any direct, indirect, or consequential loss or damage arising from use 
of, or reliance on, this 
information.

Symantec, Symantec products, and secure@xxxxxxxxxxxx are registered 
trademarks of Symantec 
Corp. and/or affiliated companies in the United States and other 
countries. All other registered and 
unregistered trademarks represented in this document are the sole property 
of their respective 
companies/owners. 




Symantec Product Security Team
Symantec takes the security of our products seriously and is a responsible 
disclosure company.  You can view our response policies at 
http://www.symantec.com/security. 
We will work directly with anyone who believes they have found a security 
issue in a Symantec product to validate the problem and coordinate any 
response deemed necessary. 

Please contact secure@xxxxxxxxxxxx concerning security issues with 
Symantec products.