Reference: http://www.securityfocus.com/archive/1/375760/2004-09-19/2004-09-25/0 On Sep 20 2004, Jonas Olsson posted: Security advisory ================= Advisory name: Default username/password pairs in ON Command CCM 5.x database backend Release date: 2004-09-20 Application: ON Command CCM 5.x Platform: Linux, Solaris, Windows Severity: An intruder can gain access to all administrator passwords and other sensitive data for managed systems Author: Jonas Olsson <jonas takeit se> Summary ------- Four default username/password pairs are present in the Sybase database backend used by ON Command CCM 5.x servers. One of the username/password pairs is publicly available in a knowledgebase article at ON Technology's web site. The database accounts can be used to read and modify all data in the CCM database. The database contains among other things usernames and passwords for administrative accounts for all managed workstations and servers. In a default CCM installation the Sybase database server is reachable from the network on the standard Sybase database port. Two of the database account passwords are extremely easy to guess. Vendor information ------------------ ---------------------------------------snip----------------------------- Symantec Product Security Response: Symantec Security Advisory SYM04-014 29 September, 2004 Symantec ON Command CCM/ON iCommand Default Passwords Can Provide Unauthorized Access Revision History None Risk Impact High (heavily dependent on environment) Overview Symantec resolved an unencrypted default password issue reported in Symantec's ON Command CCM and ON iCommand configuration servers. A malicious user who has privileged local access to the system that hosts the server can potentially gain access to administrative information and sensitive management/configuration data. An unauthorized user who has remote access to the network could potentially gather administrative information that could be leveraged for additional system access to the server and potentially to other systems being managed. Affected Components Symantec ON Command CCM 5.4.x (Windows, Solaris, HP-UX, Linux) Symantec ON iCommand 3.0.x (Windows) Details A posting, to the SecurityFocus bugtraq list identified an issue with unencrypted default database account information that is accessible on the Symantec ON Command CCM and Symantec ON iCommand software management solutions. Administrative access and database management information is provided by default on the management server. A user with privileged local access to the system that hosts the management server could gain administrative access to the database and gather sensitive data concerning the systems that are being managed from that host. An unauthorized user with network access could potentially capture the login system calls from the server and leverage additional unauthorized access to the management server database. Unauthorized access could allow the attacker to collect additional sensitive information or to alter configuration information on managed systems. Symantec Response Symantec confirmed the issues reported by Jonas Olsson above and has developed solutions to resolve them. Symantec has released a patch for all affected products that removes any default passwords and provides strong administrative password management including change control and encryption. Symantec strongly recommends that customers apply the appropriate patch for their affected product versions immediately to protect against these types of threats. Product patches are available on the Symantec Enterprise Support site http://www.symantec.com/techsupp. Symantec is not aware of any active attempts against or organizations impacted by the issues. Mitigation While this has potential to be a serious vulnerability, there are mitigating circumstances that greatly reduce the risk of intentional exploitation attempts To gain local access to the server information, a user must have a user account on the targeted system and be logged on interactively The server's default database port can be firewalled locally on the Symantec ON Command CCM server, denying access to network requests Access to management servers should normally be restricted to trusted Administrators only with restricted access to the physical systems. CVE CVE candidate numbers are being requested from The Common Vulnerabilities and Exposures (CVE) initiative. This advisory will be revised as required once CVE candidate numbers have been assigned. This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Symantec Product Security Contact: Symantec takes the security and proper functionality of its products very seriously. As founding members in the Organization for Internet Safety, Symantec follows the process of responsible disclosure. Symantec also subscribes to the vulnerability guidelines outlined by the National Infrastructure Advisory Council (NIAC). Please contact secure@xxxxxxxxxxxx if you feel you have discovered a potential or actual security issue with a Symantec product. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@xxxxxxxxxxxxx The Symantec Product Security PGP key can be obtained here. Symantec's formal Product Security Advisory for this issue can be found online at http://securityresponse.symantec.com/avcenter/security/SymantecAdvisories.html -------------------------------------------------------------------------------- Copyright (c) 2004 by Symantec Corp. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Product Security. Reprinting the whole or parts of this alert in any medium other than electronically requires permission from secure@xxxxxxxxxxxxx Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Symantec, Symantec products, and secure@xxxxxxxxxxxx are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners. Symantec Product Security Team Symantec takes the security of our products seriously and is a responsible disclosure company. You can view our response policies at http://www.symantec.com/security. We will work directly with anyone who believes they have found a security issue in a Symantec product to validate the problem and coordinate any response deemed necessary. Please contact secure@xxxxxxxxxxxx concerning security issues with Symantec products.
