Re: Security Hole in Axent ESM

[dcupp () SNAKEBITE COM (dcupp () SNAKEBITE COM)]

Steve,

What is the real story with 4.5?   I tried getting an upgrade without sucess.  Your email signature indicates you are 
the product manager for AXENT ESM.

According to Axent technical support ESM 4.4 is the latest GA version of ESM.  ESM 4.5 is not the product shipped to 
customers who order ESM today.  Support could not tell me how to receive a copy of 4.5.

This conflicts with your claims that ESM 4.5 with security fixes has been shipping since March of 1998 and this still 
leaves my network vulnerable to someone modifying binaries and spoofing the CRC checksums.

IMHO, leaving the CRC file checksums and just adding the MD5 as an option in future versions of ESM may not be clear to 
most customers that CRC's can be easily spoofed and are weak checksums.  Is there any reason you don't make MD5 the 
default requirement if you are doing checksums and remove CRC's?

Maybe you can provide clarifications on where to get the security fixes for ESM 4.5 to make it secure?  Your tech 
support needs the information as well.

Steve Jackson Claims > We at AXENT agree that CRC hecks Steve Jackson Claims > are not as secure as our
Steve Jackson Claims > customer base would desire.
Steve Jackson Claims > Thus, we have added the MD5 (128 Steve Jackson Claims > bit) check to ESM.  This shipped Steve 
Jackson Claims > in the ESM 4.5 product in March Steve Jackson Claims > of 1998.  Now our customers can Steve Jackson 
Claims > choose to run either CRC or MD5
Steve Jackson Claims > according to their needs.
Steve Jackson Claims >
Steve Jackson Claims > I want to respond to comments Steve Jackson Claims > regarding the use of XOR within Steve 
Jackson Claims > ESM 4.4 as a method of hiding
Steve Jackson Claims > communications between servers Steve Jackson Claims > and remote clients.  I would Steve Jackson 
Claims > like you to know that the method Steve Jackson Claims > employed is not just XOR logic, Steve Jackson Claims > 
but XOR combined with standard Steve Jackson Claims > 40 bit data hiding technology.
Steve Jackson Claims >
Steve Jackson Claims > We at AXENT recognized that this Steve Jackson Claims > methodology was not as secure as Steve 
Jackson Claims > desired. We have enhanced
Steve Jackson Claims > the communications security Steve Jackson Claims > between servers and clients to  Steve Jackson 
Claims > utilize a Diffie-Helman key for Steve Jackson Claims > the session, combined with
Steve Jackson Claims > encrypting every packet across Steve Jackson Claims > the wire using DESX encryption.  Steve 
Jackson Claims > This has been available since
Steve Jackson Claims > ESM 4.5 shipped in March of Steve Jackson Claims > 1998.  In addition to this, Steve Jackson 
Claims > communications handshaking
Steve Jackson Claims > occurs at the initiation of Steve Jackson Claims > every communication sequence Steve Jackson 
Claims > between client and server.
Steve Jackson Claims >
Steve Jackson Claims > Steve Jackson
Steve Jackson Claims > AXENT Technologies

--

Dan Cupp
System Administrator
UNIX / PERL Ninja!



---------------------------------------------------
Get free personalized email at http://www.iname.com