-- Corsaire Limited Security Advisory -- Title: Symantec/Axent NetProwler 3.5.x password restrictions Date: 17.03.01 Application: Symantec/Axent NetProwler 3.5.x Environment: WinNT Author: Martin O'Neal [[EMAIL PROTECTED]] Audience: General distribution -- Scope -- The aim of this document is to clearly define some potentially unsound password practises within the NetProwler application environment as provided by Symantec/Axent [1]. -- History -- Vendor notified: 21.03.01 Document released: 09.05.01 -- Overview -- The latest version of the NetProwler intrusion detection product comes as a three-tiered architecture, consisting of agents, a management component, and a console. Access between the components is achieved via channels that are protected by passwords, which have several weak defaults and unnecessary restrictions. -- Analysis -- The default password chosen to restrict access to the management tier is "admin", which apart from being weak, is not required to be changed during the install process (the documentation does recommend changing this, but in the real world this might potentially be overlooked). The password entered into the agent tier must be within 8-16 characters long, and does not seem to be restricted as to which keyboard characters are entered. The manager component needs to connect to the agent as part of its normal operation, and to achieve this, the agent password must be entered. However, the manager interface unnecessarily restricts the use of the |"\':*?<> characters, reducing the potential keyspace available and making the task of brute forcing passwords easier. The management component itself is connected to a local MySQL database via ODBC. The passwords for these connections are by default blank (again, the documentation does recommend changing this, but in the real world this might potentially be overlooked). -- Recommendations -- As many of us have seen in the flesh, installations are often carried out with default values. Sometimes with the intention of going back and doing it 'properly' when the opportunity arises (though this might not happen for some time, if ever). Manufacturers can help this situation by enforcing good security practise at installation time. Requiring strong passwords, and selecting good default values for critical metrics. In this particular circumstance; follow the recommendations in the documentation and change the passwords! -- References -- [1] http://enterprisesecurity.symantec.com/products/products.cfm?ProductID= 50&PID=3061537 -- Revision -- Initial release. Copyright 2001 Corsaire Limited. All rights reserved. ---------------------------------------------------------------------- CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential and intended solely for the use of the recipient(s) only. Any review, retransmission, dissemination or other use of, or taking any action in reliance upon this information by persons or entities other than the intended recipient(s) is prohibited. If you have received this e-mail in error please notify the sender immediately and destroy the material whether stored on a computer or otherwise. ---------------------------------------------------------------------- DISCLAIMER: Any views or opinions presented within this e-mail are solely those of the author and do not necessarily represent those of Corsaire Limited, unless otherwise specifically stated. ---------------------------------------------------------------------- Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey GU23 7EF Telephone:+44(0)1483-226000 Email:[EMAIL PROTECTED]