Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: nprow2~1.htm

NetProwler disable IDS



Vulnerability

    NetProwler

Affected

    Symantec/Axent NetProwler 3.5.x database configuration

Description

    Martin  O'Neal   (Corsaire  Limited   Security  Advisory)    found
    following.   The aim  of this  document is  to clearly define some
    issues  related  to  a  potentially unsound database configuration
    within  the  NetProwler  application  environment  as  provided by
    Symantec/Axent.

    The latest version of  the NetProwler intrusion detection  product
    comes  as  a  three-tiered  architecture,  consisting of agents, a
    management  component,  and  a  console.   Both  configuration and
    auditing  information  is  stored  within  a MySQL database hosted
    locally on the management tier  of the product.  This  database is
    exposed unnecessarily to potential  network scrutiny due to  being
    configured by default to listen to all local IP addresses.

    The MySQL database  included with the  NetProwler product is  used
    to  store  both  configuration  and  auditing  information  on the
    management tier.  This is  accessed via an ODBC connection  on the
    default MySQL port (TCP/3306).

    Because it is  possible to connect  to the databases  remotely, if
    the correct  access password  can be  obtained, it  is possible to
    amend  the  data  contained  within  them,  or  simply  delete the
    databases causing a denial of service in the management tier.

    In  theory,  using  this  flaw  it  is feasible to disable the IDS
    capabilities of NetProwler,  perform whatever attack  is required,
    and then reconfigure the host to its prior state.

    As a proof of concept, a tool was created that simply deletes  the
    NetProwler  databases  causing  a  denial  of  service.   This was
    provided to the vendor, but will not be made freely available..

Solution

    The MySQL databases do not need to be accessed by remote  systems,
    so the MySQL engine can be configured to listen to localhost only.
    To do this,  edit the c:\my.cnf  file and add  the following line,
    then restart the host:

        [MySQLd]
        bind-address=127.0.0.1

    Symantec issued advisory to address this.  Please see it at:

        http://www.symantec.com/avcenter/security/Content/2001_05_08.html


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH