Corsaire Limited Security Advisory - Symantec/Axent NetProwler 3. 5.x password restrictions

[Martin O'Neal <BugTraq () corsaire com>]

-- Corsaire Limited Security Advisory --

Title: Symantec/Axent NetProwler 3.5.x password restrictions
Date: 17.03.01
Application: Symantec/Axent NetProwler 3.5.x 
Environment: WinNT 
Author: Martin O'Neal [martin.oneal () corsaire com]
Audience: General distribution


-- Scope --

The aim of this document is to clearly define some potentially unsound 
password practises within the NetProwler application environment as 
provided by Symantec/Axent [1].


-- History --

Vendor notified: 21.03.01 
Document released: 09.05.01


-- Overview --

The latest version of the NetProwler intrusion detection product comes as 
a three-tiered architecture, consisting of agents, a management component, 
and a console. Access between the components is achieved via channels that 
are protected by passwords, which have several weak defaults and unnecessary
restrictions.


-- Analysis --

The default password chosen to restrict access to the management tier is
"admin", which apart from being weak, is not required to be changed during
the install process (the documentation does recommend changing this, but in
the real world this might potentially be overlooked). 

The password entered into the agent tier must be within 8-16 characters
long, and does not seem to be restricted as to which keyboard characters are
entered. The manager component needs to connect to the agent as part of its
normal operation, and to achieve this, the agent password must be entered.
However, the manager interface unnecessarily restricts the use of the
|"\':*?<> characters, reducing the potential keyspace available and making
the task of brute forcing passwords easier.

The management component itself is connected to a local MySQL database via
ODBC. The passwords for these connections are by default blank (again, the
documentation does recommend changing this, but in the real world this might
potentially be overlooked).


-- Recommendations --

As many of us have seen in the flesh, installations are often carried out
with default values. Sometimes with the intention of going back and doing it
'properly' when the opportunity arises (though this might not happen for
some time, if ever). 

Manufacturers can help this situation by enforcing good security practise at
installation time. Requiring strong passwords, and selecting good default
values for critical metrics. 

In this particular circumstance; follow the recommendations in the
documentation and change the passwords!


-- References --

[1] http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=
    50&PID=3061537


-- Revision --

Initial release.


Copyright 2001 Corsaire Limited. All rights reserved.



----------------------------------------------------------------------
CONFIDENTIALITY: This e-mail and any files transmitted with it are 
confidential and intended solely for the use of the recipient(s) only. 
Any review, retransmission, dissemination or other use of, or taking 
any action in reliance upon this information by persons or entities 
other than the intended recipient(s) is prohibited. If you have 
received this e-mail in error please notify the sender immediately 
and destroy the material whether stored on a computer or otherwise. 
----------------------------------------------------------------------
DISCLAIMER: Any views or opinions presented within this e-mail are 
solely those of the author and do not necessarily represent those 
of Corsaire Limited, unless otherwise specifically stated. 
----------------------------------------------------------------------

Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey GU23 7EF
Telephone:+44(0)1483-226000 Email:info () corsaire com