Security Hole in Axent ESM

[dcupp () SNAKEBITE COM (dcupp () SNAKEBITE COM)]

My boss bought Axent ESM and wants me to install it.  Before installing it,I noticed it relies on CRC checksums as the 
mechanism to validate the integrity of the files.  This appears to be a major security NO-NO, and even old freeware 
security packages like Tripwire use stronger algorithms.

On CERT's web site, it is documented in the Intrusion Detection Checklist saying, "Trojan horse programs may produce 
the same standard checksum and timestamp as the legitimate version. Because of this, the standard UNIX sum(1) command 
and the timestamps associated with the programs are not sufficient to determine whether the programs have been 
replaced."

I talked with our Axent contact and he claimed that their file integrity validation could not be compromised by a 
hacker because Axent has security experts that designed ESM.

Before I install ESM, I would like either make sure their product can't easily be spoofed by hackers because of weak 
CRC checksums or Axent fix their vulnerability. Maybe other readers on BugTraq will encourage Axent to close up this 
hole since my
own efforts have fallen on deaf ears.

--

Dan Cupp
System Administrator
UNIX / PERL Ninja!


---------------------------------------------------
Get free personalized email at http://www.iname.com