COMMAND

    NetProwler

SYSTEMS AFFECTED

    Symantec/Axent NetProwler 3.5.x

PROBLEM

    Martin  O'Neal   (Corsaire  Limited   Security  Advisory)    found
    following.   The aim  of this  document is  to clearly define some
    potentially  unsound  password  practises  within  the  NetProwler
    application environment as provided by Symantec/Axent.

    The latest version of  the NetProwler intrusion detection  product
    comes  as  a  three-tiered  architecture,  consisting of agents, a
    management  component,  and   a  console.    Access  between   the
    components  is  achieved  via  channels  that  are  protected   by
    passwords,  which  have  several  weak  defaults  and  unnecessary
    restrictions.

    The default password chosen  to restrict access to  the management
    tier is "admin", which apart  from being weak, is not  required to
    be  changed  during  the  install  process (the documentation does
    recommend  changing  this,  but  in  the  real  world  this  might
    potentially be overlooked).

    The  password  entered  into  the  agent  tier must be within 8-16
    characters long, and  does not seem  to be restricted  as to which
    keyboard characters are entered.   The manager component needs  to
    connect  to  the  agent  as  part  of its normal operation, and to
    achieve this, the  agent password must  be entered.   However, the
    manager interface unnecessarily restricts the use of the |"\':*?<>
    characters, reducing the  potential keyspace available  and making
    the task of brute forcing passwords easier.

    The  management  component  itself  is  connected to a local MySQL
    database via  ODBC.   The passwords  for these  connections are by
    default blank  (again, the  documentation does  recommend changing
    this, but in the real world this might potentially be overlooked).

SOLUTION

    As many  of us  have seen  in the  flesh, installations  are often
    carried out with default values.  Sometimes with the intention  of
    going back  and doing  it 'properly'  when the  opportunity arises
    (though this might not happen for some time, if ever).

    Manufacturers can help this  situation by enforcing good  security
    practise at  installation time.   Requiring strong  passwords, and
    selecting good default values for critical metrics.

    In this particular circumstance; follow the recommendations in the
    documentation and change the passwords!