COMMAND

    WebTrends Software

SYSTEMS AFFECTED

    WinNT

PROBLEM

    Internet Security Systems (ISS) X-Force has discovered a  security
    hole  in  many  WebTrends  products  that allows access to service
    account and MAPI usernames  and passwords.  WebTrends  specializes
    in  providing  enterprise  management  solutions  software.   Most
    WebTrends software provides the capability to run at startup as  a
    Windows NT  service and  use a  MAPI profile  to send  reports via
    e-mail.   All  of  the  vulnerable  programs  store the NT service
    account  and  password,  as  well  as  the  MAPI  profile name and
    password,  in  a  file  with  'Everyone: Full Access' permissions.
    Remote  and  local  attackers  can  discover  the  service account
    username  and  password  (which,  by  definition,  has  to  be  an
    Administrator account)  and the  MAPI profile  name and  password.
    The  file  is  in  the   installation  directory  and  is   called
    'WebTrend.INI'.    Although  the   password  is   encrypted,   the
    encryption  algorithm  is  simple  and  the password can be easily
    decoded.

    The vulnerability only  applies to systems  using the MAPI  and NT
    service  features  in  the  following  or  earlier versions of the
    applications currently  identified as  vulnerable by  ISS X-Force:
    WebTrends for  Firewalls v1.2,  WebTrends Security  Analyzer v2.0,
    WebTrends Professional Suite v3.01, WebTrends Log Analyzer  v4.51,
    and WebTrends Enterprise Suite v3.5.  All applications run on  the
    Windows NT platform.

SOLUTION

    If you use the MAPI or NT service feature in any of the vulnerable
    products, install the latest versions of the product that  include
    the  128-bit  encryption   algorithm.   These  versions   include:
    WebTrends  for  Firewalls  v1.2b  Build  4163,  WebTrends Security
    Analyzer  v2.1a  Build  8043,  WebTrends Professional Suite v3.01a
    Build  4053,  WebTrends  Log  Analyzer  v4.51a  Build  4108,   and
    WebTrends Enterprise  Suite v3.5a  Build 4212.   In addition,  ISS
    X-Force and WebTrends recommend  that you modify the  ACL settings
    to an appropriate level of  security for the user of  that system.
    Specifically, remove the  'Everyone: Full Control'  permission and
    add 'Administrators:  Full Control',  so only  administrators have
    access  to  the  file.   To  do  this,  open the directory for the
    application in Windows NT Explorer, right click on  WebTrends.INI,
    go  to  'Properties',  select  the  'Security'  tab, and click the
    'Permissions' button.  There will be a dialog that will allow  you
    to adjust  the permissions  on the  file.   Customers who  are not
    able to download the most recent versions should not use the  MAPI
    and NT Service options in WebTrends products.