-- Corsaire Limited Security Advisory -- Title: Symantec/Axent NetProwler 3.5.x password restrictions Date: 17.03.01 Application: Symantec/Axent NetProwler 3.5.x Environment: WinNT Author: Martin O'Neal [martin.oneal@corsaire.com] Audience: General distribution Reference: c010317-001 -- Scope -- The aim of this document is to clearly define some potentially unsound password practises within the NetProwler application environment as provided by Symantec/Axent [1]. -- History -- Vendor notified: 21.03.01 Document released: 09.05.01 -- Overview -- The latest version of the NetProwler intrusion detection product comes as a three-tiered architecture, consisting of agents, a management component, and a console. Access between the components is achieved via channels that are protected by passwords, which have several weak defaults and unnecessary restrictions. -- Analysis -- The default password chosen to restrict access to the management tier is "admin", which apart from being weak, is not required to be changed during the install process (the documentation does recommend changing this, but in the real world this might potentially be overlooked). The password entered into the agent tier must be within 8-16 characters long, and does not seem to be restricted as to which keyboard characters are entered. The manager component needs to connect to the agent as part of its normal operation, and to achieve this, the agent password must be entered. However, the manager interface unnecessarily restricts the use of the |"\':*?<> characters, reducing the potential keyspace available and making the task of brute forcing passwords easier. The management component itself is connected to a local MySQL database via ODBC. The passwords for these connections are by default blank (again, the documentation does recommend changing this, but in the real world this might potentially be overlooked). -- Recommendations -- As many of us have seen in the flesh, installations are often carried out with default values. Sometimes with the intention of going back and doing it 'properly' when the opportunity arises (though this might not happen for some time, if ever). Manufacturers can help this situation by enforcing good security practise at installation time. Requiring strong passwords, and selecting good default values for critical metrics. In this particular circumstance; follow the recommendations in the documentation and change the passwords! -- CVE -- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2001-0645 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. -- References -- [1] http://enterprisesecurity.symantec.com/products/products.cfm?ProductID= 50&PID=3061537 -- Revision -- a. Initial release. b. Included CVE reference. -- Distribution -- This security advisory may be freely distributed, provided that it remains unaltered and in its original form. -- Disclaimer -- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any damage caused by the use or misuse of this information. Copyright 2001 Corsaire Limited. All rights reserved.