Re: Security Hole in Axent ESM

[conorich () US IBM COM (Douglas G Conorich)]

I would like to beg to differ on this subject.  First, this is not a security
hole.  A security hole is something that would allow an intruder to gain access
to a system or to gain greater privileges on a system.  This is, at best, a
weakness in the products ability to detect an intrusion.  Second, a CRC is a
Cyclic Redundancy Check and not a simple checksum.  For the intruder to spoof
this, they would have to know what CRC algorithm ESM was using, and then make
their coded Trojan Horse fit that algorithm.  That is a major undertaking.  If
someone wants to go to that much work to get you, you have a lot bigger problem
than you think.  They will be doing a lot of other things to you, not just
planting a Trojan Horse.  Third, an intruder would have to have root to do
this.  If they can get root on your boxes, you have a lot bigger problem.

ESM does not only look at CRC's to verify if a file is genuine.  It also looks
at the timestamps; both the m-time and the c-time.  m-times are easy to change,
c-times are a lot harder and leave a trace.

The bottom line is that ESM is a Policy Management tool.  You use ESM to insure
that hosts comply with the company's security policy.  If you want intrusion
detection then you should have their ITA tool, too.  It can be set up to watch
files in real time and alert you if a file ever changes.

When you talked to AXENT, I don't think you got to the right people.

Douglas G. Conorich                                       IBM
Senior Internet Security Analyst                   P.O. Box 595
Internet Emergency Response Service   Clearfield, UT 84015 U.S.A.