COMMAND

    CourseInfo

SYSTEMS AFFECTED

    Blackboard CourseInfo 4.0

PROBLEM

    James Megna found following.  First of all, Blackboard  CourseInfo
    4.0 stores a  local administrator username  and password in  clear
    text in the registry.  Unless an administrator has hardened  their
    registry against remote access by non-administrators, an  attacker
    can connect  to the  server and  obtain an  administrator username
    and password without much fuss.

    The key is located here:

        HKEY_LOCAL_MACHINE\SOFTWARE\Blackboard, Inc.\CourseInfo40

    The first three values are:

        DB_ConnectString        /*SQL Admin username and password, also clear text*/
        DefaultPassword /*Password for specified admin account*/
        DefaultUser             /*Admin account name*/

    It doesn't get much easier than that, eh?

    As  part  of  the  installation  procedure,  you are instructed to
    create  a  user  and  configure  it  as  an  administrator.    The
    technician James spoke to on the phone stated that using a  member
    server not participating in any domain was highly recommended, but
    the installation instructions do not state this.

    The  Blackboard,  Inc.  has  been  contacted  about  this  and has
    recommended the following solution:

        The default permissions do not restrict who has remote  access
        to  the  registry.   Only  administrators  should  have remote
        access to the registry.   The Registry Editor supports  remote
        access to the Windows NT registry.  To restrict network access
        to the registry:

        1. Add the following key to the registry:
          Hive
               HKEY_LOCAL_MACHINE\SYSTEM
          Key
               \CurrentControlSet\Control\SecurePipeServers
          Value Name
               \winreg

        2. Select  winreg,  click  the  Security menu, and then  click
           Permissions.

        3. Set  the Administrators  permission to  Full Control,  make
           sure no other users or groups are listed, then click OK.

        The security permissions (ACLs)  set on this key  define which
        users or groups can connect to the system for remote  registry
        access.

    So the clear text password will  stay.  Anyway, that brings us  to
    the winreg issue.  James was  a little confused -- he thought  the
    security settings for  this key were  fixed several service  packs
    ago.  On the  member server in question,  here were the rights  to
    the winreg key:

        BUILTIN\Account Unknown Special Access
        CREATOR OWNER           Full Control
        Everyone                        Read
        SYSTEM                  Full Control
        [server name]\Administrators    Full Control

    On all of  the member servers  which were moved  straight from SP1
    to  SP5  (this  one  included),  the  key was insecure.  On member
    servers  that  were  stepped  up  SP1  ->  SP3 -> SP5, the key was
    secure.   On all  domain controllers,  the key  was secure.   Some
    DC's had been given SP3, and some had gone straight to 5.

    On just about every workstation  reviewed, the winreg key was  not
    secure.  On a couple, the winreg key was missing entirely.

SOLUTION

    This does NOT affect clients  using CourseInfo 4.0 on Unix  or any
    client who has upgraded to  Blackboard 5.  The Blackboard  product
    development team has developed a fix that will generate the  level
    of security  that our  customers expect.   The patch  encrypts the
    information  that  Blackboard  stores  within the System Registry.
    You can have direct access to the download at

        http://company.blackboard.com/Support/files/Courseinfo4hotfix.exe