Re: Default username/password pairs in ON Command CCM 5.x database backend, Sep 20 2004 2:24PM
Reference:
http://www.securityfocus.com/archive/1/375760/2004-09-19/2004-09-25/0
On Sep 20 2004, Jonas Olsson posted:
Security advisory
=================
Advisory name: Default username/password pairs in ON Command CCM 5.x
database backend
Release date: 2004-09-20
Application: ON Command CCM 5.x
Platform: Linux, Solaris, Windows
Severity: An intruder can gain access to all administrator
passwords and other sensitive data for managed
systems
Author: Jonas Olsson <jonas takeit se>
Summary
-------
Four default username/password pairs are present in the Sybase
database backend used by ON Command CCM 5.x servers. One of the
username/password pairs is publicly available in a knowledgebase
article at ON Technology's web site.
The database accounts can be used to read and modify all data in the
CCM database. The database contains among other things usernames and
passwords for administrative accounts for all managed workstations and
servers. In a default CCM installation the Sybase database server is
reachable from the network on the standard Sybase database port.
Two of the database account passwords are extremely easy to guess.
Vendor information
------------------
---------------------------------------snip-----------------------------
Symantec Product Security Response:
Symantec Security Advisory
SYM04-014
29 September, 2004
Symantec ON Command CCM/ON iCommand Default Passwords Can Provide
Unauthorized
Access
Revision History
None
Risk Impact
High (heavily dependent on environment)
Overview
Symantec resolved an unencrypted default password issue reported in
Symantec's ON Command CCM
and ON iCommand configuration servers. A malicious user who has privileged
local access to the system
that hosts the server can potentially gain access to administrative
information and sensitive
management/configuration data. An unauthorized user who has remote access
to the network could
potentially gather administrative information that could be leveraged for
additional system access to the
server and potentially to other systems being managed.
Affected Components
Symantec ON Command CCM 5.4.x (Windows, Solaris, HP-UX, Linux)
Symantec ON iCommand 3.0.x (Windows)
Details
A posting, to the SecurityFocus bugtraq list identified an issue with
unencrypted default database account
information that is accessible on the Symantec ON Command CCM and Symantec
ON iCommand
software management solutions. Administrative access and database
management information is
provided by default on the management server. A user with privileged
local access to the system that
hosts the management server could gain administrative access to the
database and gather sensitive data
concerning the systems that are being managed from that host. An
unauthorized user with network
access could potentially capture the login system calls from the server
and leverage additional
unauthorized access to the management server database. Unauthorized
access could allow the attacker
to collect additional sensitive information or to alter configuration
information on managed systems.
Symantec Response
Symantec confirmed the issues reported by Jonas Olsson above and has
developed solutions to resolve them.
Symantec has released a patch for all affected products that removes any
default passwords and
provides strong administrative password management including change
control and encryption.
Symantec strongly recommends that customers apply the appropriate patch
for their affected product
versions immediately to protect against these types of threats.
Product patches are available on the Symantec Enterprise Support site
http://www.symantec.com/techsupp.
Symantec is not aware of any active attempts against or organizations
impacted by the issues.
Mitigation
While this has potential to be a serious vulnerability, there are
mitigating circumstances that greatly
reduce the risk of intentional exploitation attempts
To gain local access to the server information, a user must have a user
account on the targeted
system and be logged on interactively
The server's default database port can be firewalled locally on the
Symantec ON Command CCM
server, denying access to network requests
Access to management servers should normally be restricted to trusted
Administrators only with
restricted access to the physical systems.
CVE
CVE candidate numbers are being requested from The Common Vulnerabilities
and Exposures (CVE)
initiative. This advisory will be revised as required once CVE candidate
numbers have been assigned.
This issue is a candidate for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for
security problems.
Symantec Product Security Contact:
Symantec takes the security and proper functionality of its products very
seriously. As founding members
in the Organization for Internet Safety, Symantec follows the process of
responsible disclosure.
Symantec also subscribes to the vulnerability guidelines outlined by the
National Infrastructure Advisory
Council (NIAC). Please contact secure@xxxxxxxxxxxx if you feel you have
discovered a potential or
actual security issue with a Symantec product.
Symantec strongly recommends using encrypted email for reporting
vulnerability information to
secure@xxxxxxxxxxxxx The Symantec Product Security PGP key can be
obtained here.
Symantec's formal Product Security Advisory for this issue can be found
online at
http://securityresponse.symantec.com/avcenter/security/SymantecAdvisories.html
--------------------------------------------------------------------------------
Copyright (c) 2004 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as
it is not edited in any way unless
authorized by Symantec Product Security. Reprinting the whole or parts of
this alert in any medium other
than electronically requires permission from secure@xxxxxxxxxxxxx
Disclaimer
The information in the advisory is believed to be accurate at the time of
publishing based on currently
available information. Use of the information constitutes acceptance for
use in an AS IS condition. There
are no warranties with regard to this information. Neither the author nor
the publisher accepts any liability
for any direct, indirect, or consequential loss or damage arising from use
of, or reliance on, this
information.
Symantec, Symantec products, and secure@xxxxxxxxxxxx are registered
trademarks of Symantec
Corp. and/or affiliated companies in the United States and other
countries. All other registered and
unregistered trademarks represented in this document are the sole property
of their respective
companies/owners.
Symantec Product Security Team
Symantec takes the security of our products seriously and is a responsible
disclosure company. You can view our response policies at
http://www.symantec.com/security.
We will work directly with anyone who believes they have found a security
issue in a Symantec product to validate the problem and coordinate any
response deemed necessary.
Please contact secure@xxxxxxxxxxxx concerning security issues with
Symantec products.