RE: BindView NetInventory NetRC hostcfg_ni password passed in cle ar text

["Blake, Scott" <SBlake () bindview com>]

In January, a bug in NETinventory was discovered when the product is used in
conjuction with NETrc. 

When using these two products, NETinventory writes a file named hostcfg._ni
that is stored on the machine, which contains the encrypted NETrc password.
A user can delete that file, then force a new audit from the netlogon
directory. When this occurs, NETinventory looks for that file, and if it is
not present, rewrites the file. During the rewrite, the file is stored as
hostcfg.ini until the audit is completed, which means that the password is
in clear text until the audit is completed. Although this process takes only
a matter of seconds, requires physical access to the machine, and will only
provide access to the NETrc proxy, it is a security flaw that BindView is
aware of and addressing at this moment.

A fix has been available since January 30th for this issue at:
ftp://ftp.bindview.com/Products/NETrc/NETinventory_NETrc_HotFix.zip.

-----
Scott Blake
VP, Information Security
BindView Corporation