Security advisory ================= Advisory name: Default username/password pairs in ON Command CCM 5.x database backend Release date: 2004-09-20 Application: ON Command CCM 5.x Platform: Linux, Solaris, Windows Severity: An intruder can gain access to all administrator passwords and other sensitive data for managed systems Author: Jonas Olsson <jonas@xxxxxxxxx> Summary ------- Four default username/password pairs are present in the Sybase database backend used by ON Command CCM 5.x servers. One of the username/password pairs is publicly available in a knowledgebase article at ON Technology's web site. The database accounts can be used to read and modify all data in the CCM database. The database contains among other things usernames and passwords for administrative accounts for all managed workstations and servers. In a default CCM installation the Sybase database server is reachable from the network on the standard Sybase database port. Two of the database account passwords are extremely easy to guess. Vendor information ------------------ Symantec recently bought ON Technology which produces ON Command CCM. Homepage: http://www.symantec.com/ Vendor informed on: 2004-08-11 Vendor response: Fix available in next release of CCM (version 6.0) which will be available sometime in 2005. Advisory mailed: 2004-09-20 Affected products ----------------- * ON Command CCM version 5.x We have not been able to verify the problem on earlier versions of ON Command CCM since we have not had access to the software. Background ---------- ON Command CCM is a solution for central management of Windows workstations and servers. It handles unattended OS and software installation on managed computers. All configuration information for managed workstations, including passwords for local administrators, domain administrator passwords if the workstation is joined to a domain and license keys are stored in the CCM database. The CCM server software is available for several OSes, including Solaris, Linux and Windows. Vulnerability impact -------------------- Using any of the default database accounts an attacker can easily retrieve all passwords in clear-text for all systems managed by CCM. Since this includes the domain administrator password if CCM handles joining managed systems to a domain (which is usually the case) this can lead to compromise on both servers and workstations. Any other sensitive data, such as license keys, is also available from the CCM database. Workarounds ----------- * The passwords can be changed for three of the users. The fourth user's credentials are used by the CCM server daemons and are hard-coded in the binaries. * The Sybase database port can be firewalled locally on the CCM server, denying access to network requests. Local requests can't be blocked however. Contact ------- AB TakeIT http://www.takeit.se/ Jonas Olsson <jonas@xxxxxxxxx>
