

-- Corsaire Limited Security Advisory --

Title: Symantec/Axent NetProwler 3.5.x database configuration
Date: 07.04.01
Application: Symantec/Axent NetProwler 3.5.x 
Environment: WinNT 
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General distribution
Reference: c010407-001


-- Scope --

The aim of this document is to clearly define some issues related to 
a potentially unsound database configuration within the NetProwler 
application environment as provided by Symantec/Axent [1].


-- History --

Vendor notified: 07.04.01 
Document released: 09.05.01


-- Overview --

The latest version of the NetProwler intrusion detection product comes 
as a three-tiered architecture, consisting of agents, a management 
component, and a console. Both configuration and auditing information 
is stored within a MySQL database hosted locally on the management tier 
of the product. This database is exposed unnecessarily to potential 
network scrutiny due to being configured by default to listen to all 
local IP addresses.


-- Analysis --

The MySQL database included with the NetProwler product is used to 
store both configuration and auditing information on the management tier. 
This is accessed via an ODBC connection on the default MySQL port 
(TCP/3306).

Because it is possible to connect to the databases remotely, if the 
correct access password can be obtained (see Corsaire advisory 
010317-001a [2]), it is possible to amend the data contained within them, 
or simply delete the databases causing a denial of service in the 
management tier.

In theory, using this flaw it is feasible to disable the IDS capabilities 
of NetProwler, perform whatever attack is required, and then reconfigure
the host to its prior state.

As a proof of concept, a tool was created that simply deletes the 
NetProwler databases causing a denial of service. This was provided to 
the vendor, but will not be made freely available.. 


-- Recommendations --

The MySQL databases do not need to be accessed by remote systems, so the
MySQL engine can be configured to listen to localhost only. To do this, 
edit the c:\my.cnf file and add the following line, then restart the host:

  [MySQLd]
  bind-address=127.0.0.1


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2001-0645 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.


-- References --

[1] http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=
    50&PID=3061537
[2] http://www.corsaire.com/advisories/010317-001a.txt


-- Revision --

a. Initial release.
b. Revised to include CVE reference.


-- Distribution --

This security advisory may be freely distributed, provided that it remains unaltered and in 
its original form. 


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with no warranties or 
guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any 
damage caused by the use or misuse of this information.


Copyright 2001 Corsaire Limited. All rights reserved.