PDA

Bekijk Volledige Versie : RE: Missing admin sql password in Okena StormWatch



Marcus Gavel
19/12/02, 16:29
<Response from the Okena Team>

Background: StormWatch is a security product that uses a central database to
hold security configuration information that is used to control a number of
security agents. In the text below, the server refers to the StormWatch
central database server.

The issue reported in the bugtraq message "Missing admin sql password in
Okena StormWatch" -- null "sa" password permits anybody to connect to the
StormWatch database -- has been studied.

The StormWatch product install ensures that the "sa" user password is set to
a random value. It also sets the database authentication type to "windows".
This latter step prevents all users from connecting to the database unless
they are the local windows administrator and they use their windows
credentials. During a database upgrade (say moving from MSDE sp1 to MSDE
sp2), the "sa" user password is reset to null. However, the authentication
type remains "windows" which prevents any user from using the "sa" account.

We received more information about the reported issue that said that a local
administrator had access to the database via ODBC, with no password being
entered. This is the expected behavior as the local windows administrator
has full access to the database for maintenance purposes. The null "sa"
password was perceived to be the reason why no password was required, but
the real reason was that the local administrator credentials were being used
to access the database.

The StormWatch documentation states that the server should be physically
secure and that unauthorized users should not have accounts on that system.
The default security policies that are applied to the server prevent any
remote access to the system (apart from our Web based management interface).

After reviewing this information, we do not believe that any vulnerability
exists for StormWatch customers if no unauthorized user has the server's
Administrator password. However, for 'defense in depth' reasons, we
recommend that the "sa" password be set to an unknown value. StormWatch
customers can contact support@okena.com for instructions to set the "sa"
password.

Thanks to Mario Robic for providing additional information about this issue.

Bugs or security issues should be reported to support@okena.com or
security@okena.com. If StormWatch customers have any additional questions,
they should contact support@okena.com.

-----Original Message-----
From: Marc Ruef [mailto:marc.ruef@computec.ch]
Sent: Wednesday, December 18, 2002 2:06 AM
To: bugtraq@securityfocus.com; submissions@packetstormsecurity.org;
news@securiteam.com
Subject: Missing admin sql password in Okena StormWatch


Hi!

I was working with Okena StormWatch[1] - a really interesting commercial
intrusion prevention product - and saw that there is the SQL password
for the admin account (sa) missing.

With a SQL client and a blank password it's possible for everyone who
can connect to the manager to compromise the whole system/network.

My notification was sent on Fri, 15 Nov 2002 14:21:01 +0100 to
info@OKENA.com - Nothing came back.

Thanks to Mario Robic for helping discovering this problem.

Bye, Marc

[1] http://www.okena.com

--
Computer, Technik und Security
http://www.computec.ch