COMMAND
NetProwler
SYSTEMS AFFECTED
Symantec/Axent NetProwler 3.5.x database configuration
PROBLEM
Martin O'Neal (Corsaire Limited Security Advisory) found
following. The aim of this document is to clearly define some
issues related to a potentially unsound database configuration
within the NetProwler application environment as provided by
Symantec/Axent.
The latest version of the NetProwler intrusion detection product
comes as a three-tiered architecture, consisting of agents, a
management component, and a console. Both configuration and
auditing information is stored within a MySQL database hosted
locally on the management tier of the product. This database is
exposed unnecessarily to potential network scrutiny due to being
configured by default to listen to all local IP addresses.
The MySQL database included with the NetProwler product is used
to store both configuration and auditing information on the
management tier. This is accessed via an ODBC connection on the
default MySQL port (TCP/3306).
Because it is possible to connect to the databases remotely, if
the correct access password can be obtained, it is possible to
amend the data contained within them, or simply delete the
databases causing a denial of service in the management tier.
In theory, using this flaw it is feasible to disable the IDS
capabilities of NetProwler, perform whatever attack is required,
and then reconfigure the host to its prior state.
As a proof of concept, a tool was created that simply deletes the
NetProwler databases causing a denial of service. This was
provided to the vendor, but will not be made freely available..
SOLUTION
The MySQL databases do not need to be accessed by remote systems,
so the MySQL engine can be configured to listen to localhost only.
To do this, edit the c:\my.cnf file and add the following line,
then restart the host:
[MySQLd]
bind-address=127.0.0.1
Symantec issued advisory to address this. Please see it at:
http://www.symantec.com/avcenter/security/Content/2001_05_08.html