-- Corsaire Limited Security Advisory -- Title: Symantec/Axent NetProwler 3.5.x database configuration Date: 07.04.01 Application: Symantec/Axent NetProwler 3.5.x Environment: WinNT Author: Martin O'Neal [[EMAIL PROTECTED]] Audience: General distribution -- Scope -- The aim of this document is to clearly define some issues related to a potentially unsound database configuration within the NetProwler application environment as provided by Symantec/Axent [1]. -- History -- Vendor notified: 07.04.01 Document released: 09.05.01 -- Overview -- The latest version of the NetProwler intrusion detection product comes as a three-tiered architecture, consisting of agents, a management component, and a console. Both configuration and auditing information is stored within a MySQL database hosted locally on the management tier of the product. This database is exposed unnecessarily to potential network scrutiny due to being configured by default to listen to all local IP addresses. ----------------------------snip---------------------------- Symantec worked closely with Corsaire Limited on this issue. The accompanying Security Alert was released to NetProwler customers in response to the potential risk in the MySQL configuration as shipped with NetProwler 3.5.x. Symantec recommends following proper install configurations as outlined in the NetProwler product installation instructions as well as the guidelines provided in the Symantec Security Alert below. Our thanks, once again, to Corsaire Limited for working with Symantec on this issue. SARC [EMAIL PROTECTED] http://www.symantec.com/avcenter/security/Content/2001_05_08.html 8 May, 2001 Symantec NetProwler 3.5.x MySQL database configuration allows possible remote access Affected: NetProwler 3.5.x, NT version Overview: Following is information received from Corsaire Limited, describing a potential risk to NetProwler customers due to a weakness in the default install configuration of the MySQL database. "The latest version of the NetProwler intrusion detection product comes as a three-tiered architecture, consisting of agents, a management component, and a console. Both configuration and auditing information is stored within a MySQL database hosted locally on the management tier of the product. This database is exposed unnecessarily to potential network scrutiny due to being configured by default to listen to all local IP addresses." Details: NetProwler version 3.5.x ships with the MySQL version 3.22.24 database. The NetProwler manager communicates with the MySQL service using named pipes. This method of communication does not require configuring the MySQL service to accept incoming connections on any port. However, MySQL version 3.22.24 is installed in a default configuration and by default, MySQL version 3.22.24 is configured to accept inbound connections on port 3306. As a result, a hacker with internal network access could potentially connect remotely to the MySQL port and compromise the NetProwler configuration database provided they knew the MySQL username and password. Access to the MySQL database would allow an attacker to modify existing entries or delete the database entirely. Risk Impact: Medium Solution: NOTE: This is not a security problem with the NetProwler tool, rather with the default configuration of the accompanying MySQL database. However, due to the potential risk that an attacker could potentially bypass the MySQL password authentication scheme, Symantec has the following security configuration recommendations. In addition to ensuring default NetProwler manager and MySQL username and passwords are changed during the installation process as documented in installation instructions, Symantec recommends our customers configure their NetProwler environment to disallow the MySQL service from accepting any connections through port 3306 or the Microsoft Networking protocol NetBIOS/SMB. This will require that our customers install both the NetProwler manager and respective database on the same machine. (Note: This is the default installation.) Following these recommended guidelines will ensure that the NetProwler MySQL database will not be susceptible to a remote attack as described in the Corsaire advisory. Verification of vulnerable configuration: The following procedure checks if the MySQL service is configured to accept remote connections on the local machine. On the NetProwler Manager machine proceed as follows: 1. From the Start menu, select Program Files followed by Command Prompt. 2. At the command prompt type: netstat ?a This will display a list of services listening on the current machine. In the Local address column, if one of the lines contains -- <machine name>:3306 -- then this confirms that the default port of the MySQL service is listening on port 3306. Given this is the case, please proceed to the next steps to disable this service. Disabling remote access to MySQL service The MySQL service is accessible via TCP/IP on port 3306, and via SMB. Disabling access to MySQL via TCP/IP The following steps disable the MySQL service from listening for connections on the default port 3306. 1. Stop the NetProwler Manager and any NetProwler Consoles (if running). 2. Run Notepad. 3. Open the file c:\my.cnf 4. The file should contain two lines [mysqld] basedir=c:\\mysql 5. Add the line "skip-networking", so the file should look like: [mysqld] basedir=c:\\mysql skip-networking Note: Advanced users may have modified the default my.cnf that ships with NetProwler. These users need only to add the line "skip-networking" in the section noted, [mysqld], as stated above. 6. Save the file and exit notepad. Disabling access to MySQL via SMB 1. From the Start menu, choose Control Panel, 2. Double-click the Services icon. 3. Select Computer Browser from the list of services. Click the Startup button. Set the Startup Type to "Disabled" and click Ok. 4. Repeat Step 3, for the Server service. 5. Restart the workstation. Validation of removal for remote access to MySQL The following procedure checks if the MySQL service is configured to accept remote connections on the local machine. On the NetProwler Manager machine proceed as follows: 1. From the Start menu, select Program Files followed by Command Prompt. At the command prompt type: netstat ?a This will display a list of services listening on the current machine. In the Local address column, if one of the lines does not contain: <machine name>:3306., this confirms that the default port of the MySQL service listening on port 3306 has been successfully removed. Credit: Symantec wishes to thank Martin O'Neil of Corsaire Limited, for his excellent coordination in identifying and helping resolve this issue. Copyright (c) 2001 by Symantec Corp. Permission to redistribute this Bulletin electronically is granted as long as it is not edited in any way unless authorized by the SARC. Reprinting the whole or part of this Bulletin in medium other than electronically requires permission from Sym [EMAIL PROTECTED] Disclaimer: The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information. Symantec, NetProwler and Sym Security are Registered Trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.