Re: Corsaire Limited Security Advisory - Symantec/Axent NetProwler 3. 5.x database configuration

["Sym Security" <symsecurity () symantec com>]

-- Corsaire Limited Security Advisory --

Title: Symantec/Axent NetProwler 3.5.x database configuration
Date: 07.04.01
Application: Symantec/Axent NetProwler 3.5.x
Environment: WinNT
Author: Martin O'Neal [martin.oneal () corsaire com]
Audience: General distribution


-- Scope --

The aim of this document is to clearly define some issues related to
a potentially unsound database configuration within the NetProwler
application environment as provided by Symantec/Axent [1].


-- History --

Vendor notified: 07.04.01
Document released: 09.05.01


-- Overview --

The latest version of the NetProwler intrusion detection product comes
as a three-tiered architecture, consisting of agents, a management
component, and a console. Both configuration and auditing information
is stored within a MySQL database hosted locally on the management tier
of the product. This database is exposed unnecessarily to potential
network scrutiny due to being configured by default to listen to all
local IP addresses.

----------------------------snip----------------------------



Symantec  worked closely with Corsaire Limited on this issue.  The
accompanying Security Alert was released to NetProwler customers in
response to the potential risk in the MySQL configuration as shipped with
NetProwler 3.5.x.  Symantec recommends following proper install
configurations  as outlined in the NetProwler product installation
instructions as well as the guidelines provided in the Symantec Security
Alert below.

Our thanks, once again, to Corsaire Limited for working with Symantec on
this issue.

SARC
symsecurity () symantec com

http://www.symantec.com/avcenter/security/Content/2001_05_08.html

8 May, 2001
Symantec NetProwler 3.5.x MySQL database configuration allows possible
remote access

Affected:
NetProwler 3.5.x, NT version

Overview:
Following is information received from Corsaire Limited, describing a
potential risk to NetProwler customers due to a weakness in the default
install configuration of the MySQL database.

"The latest version of the NetProwler intrusion detection product comes as
a three-tiered architecture, consisting of agents, a management component,
and a console. Both configuration and auditing information is stored within
a MySQL database hosted locally on the management tier of the product. This
database is exposed unnecessarily to potential network scrutiny due to
being configured by default to listen to all local IP addresses."

Details:
NetProwler version 3.5.x ships with the MySQL version 3.22.24 database.
The NetProwler manager communicates with the MySQL service using named
pipes. This method of communication does not require configuring the MySQL
service to accept incoming connections on any port. However, MySQL version
3.22.24 is installed in a default configuration and by default, MySQL
version 3.22.24 is configured to accept inbound connections on port 3306.
As a result, a hacker with internal network access could potentially
connect remotely to the MySQL port and compromise the NetProwler
configuration database provided they knew the MySQL username and password.
Access to the MySQL database would allow an attacker to modify existing
entries or delete the database entirely.

Risk Impact:

Medium

Solution:

NOTE:  This is not a security problem with the NetProwler tool, rather with
the default configuration of the accompanying MySQL database.  However, due
to the potential risk that an attacker could potentially bypass the MySQL
password authentication scheme, Symantec has the following security
configuration recommendations.  In addition to ensuring default NetProwler
manager and MySQL username and passwords are changed during the
installation process as documented in installation instructions, Symantec
recommends our customers configure their NetProwler environment to disallow
the MySQL service from accepting any connections through port 3306 or the
Microsoft Networking protocol NetBIOS/SMB.  This will require that our
customers install both the NetProwler manager and respective database on
the same machine. (Note: This is the default installation.) Following these
recommended guidelines will ensure that the NetProwler MySQL database will
not be susceptible to a remote attack as described in the Corsaire
advisory.

Verification of vulnerable configuration:

The following procedure checks if the MySQL service is configured to accept
remote connections on the local machine. On the NetProwler Manager machine
proceed as follows:

1.   From the Start menu, select Program Files followed by Command Prompt.
2.   At the command prompt type:

   netstat ?a

   This will display a list of services listening on the current machine.
   In the Local address column, if one of the lines contains -- <machine
   name>:3306 -- then this confirms that the default port of the MySQL
   service is listening on port 3306. Given this is the case, please
   proceed to the next steps to disable this service.


Disabling remote access to MySQL service


The MySQL service is accessible via TCP/IP on port 3306, and via SMB.



Disabling access to MySQL via TCP/IP

The following steps disable the MySQL service from listening for
connections on the default port 3306.

1.   Stop the NetProwler Manager and any NetProwler Consoles (if running).
2.   Run Notepad.
3.   Open the file c:\my.cnf
4.   The file should contain two lines
[mysqld]
basedir=c:\\mysql
5.   Add the line "skip-networking", so the file should look like:
[mysqld]
basedir=c:\\mysql
skip-networking

Note: Advanced users may have modified the default my.cnf that ships with
   NetProwler. These users need only to add the line "skip-networking" in
   the section noted, [mysqld], as stated above.

6.   Save the file and exit notepad.



Disabling access to MySQL via SMB

1.   From the Start menu, choose Control Panel,
2.   Double-click the Services icon.
3.   Select Computer Browser from the list of services. Click the Startup
button. Set the Startup Type to "Disabled" and click Ok.
4.   Repeat Step 3, for the Server service.
5.   Restart the workstation.



Validation of removal for remote access to MySQL


The following procedure checks if the MySQL service is configured to accept
remote connections on the local machine. On the NetProwler Manager machine
proceed as follows:
1.   From the Start menu, select Program Files followed by Command Prompt.
At the command prompt type:

netstat ?a

This will display a list of services listening on the current machine. In
the Local address column, if one of the lines does not contain: <machine
name>:3306., this confirms that the default port of the MySQL service
listening on port 3306 has been successfully removed.




Credit:  Symantec wishes to thank Martin O'Neil of Corsaire Limited, for
his excellent coordination in identifying and helping resolve this issue.

Copyright (c) 2001 by Symantec Corp.
Permission to redistribute this Bulletin electronically is granted as long
as it is not edited in any way unless authorized by the SARC. Reprinting
the whole or part of this Bulletin in medium other than electronically
requires permission from Sym Security () symantec com.
Disclaimer:
The information in the advisory is believed to be accurate at the time of
printing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or consequential
loss or damage arising from use of, or reliance on this information.
Symantec, NetProwler and Sym Security are Registered Trademarks of Symantec
Corp. and/or affiliated companies in the United States and other countries.
All other registered and unregistered trademarks represented in this
document are the sole property of their respective companies/owners.