COMMAND

    Axent

SYSTEMS AFFECTED

    Axent ESM 5.0.1 Console

PROBLEM

    Todd found following.  Axent's  latest release of its ESM  product
    was redesigned and supposedly revamped around it's new "Management
    Console".  The  new management console  is based on  an underlying
    Access Database.  The console is password protected each time  the
    application is launched.  However,  when the user wants to  change
    the console password,  the next time  the application is  launched
    the database is inaccessible because the code does not update  the
    password on the database file.

    The console that  is currently available  in version 5.0.1  stores
    all manager data in an Access DB file

        c:\program files\Axent\ESM Enterprise Console\Database\user.mdb

    locally on the user's machine after policy runs are viewed and any
    trend  analysis  is  performed   across  various  managers.    The
    workaround that  Axent proposes  is manager-related  only and does
    not fix the local password issue for the console (see below).  The
    connect as feature  on the manager  only allows you  to connect to
    the manager  and does  not update  the local  database because the
    password passed to the database is still not recognized by  Access
    due to the change  in the console that  is not linked back  to the
    DB.   The  local  database  stores  all  manager  data  after it's
    viewing and by following Axent's original work around of disabling
    the Access  password on  the database  file, the  user leaves  all
    vulnerability information for his  agents in an Access  DB without
    a password.   This becomes a  security issue if  the local machine
    is compromised.   And considering the  console runs only  on NT or
    Windows 95, this becomes very  easy.  Axent continuously fails  to
    thoroughly QA their products and  this is only a defense  for poor
    product management  not a  valid work  around.   It should also be
    noted  that  Access  is  not   a  secure  mechanism  for   storing
    vulnerability data  and that  passwords on  Access DBs  are easily
    cracked,  therefore  disabling  the  password really means nothing
    more than a few minutes saved in a compromise of the local  system
    running the console.

SOLUTION

    However, question is what is  the security issue is here.   Sounds
    like ESM is doing a good thing by passwording the console, but has
    a bug in the password change code.  If they're using the MS Access
    native security, recovering the password is trivial, so in essence
    there is no  security there at  all.  One  could make a  case that
    there  should  be,  but  the  bug  in  password changing is hardly
    relevant to  that.   Finally, tech  support's recommendation  that
    the password be removed from  the DB is perfectly reasonable  when
    you consider that it is utterly useless anyway.

    The Work-Around:

        1.  Log into the ESM console with the new password.
        2.  Choose the "Connect as..." command from the pop-up menu by
            right clicking on the ESM manager from which you  received
            the above error.
        3.  Enter the  manager username  and password  in the  manager
            login dialog that is  displayed, and check the  "Save name
            and password" option.
        4.  Repeat steps  2 and 3 for  each ESM manager for  which you
            want to save the password.
        5.  From this point on, the ESM console will operate normally.

    The  above  issue  does  not  compromise  the  security of the ESM
    manager  or  console.   Only  authenticated  users can access ESM.
    Please  contact  your  AXENT  support  representative  if you have
    additional questions.