COMMAND
ScanMail
SYSTEMS AFFECTED
Trend Micro's ScanMail for Exchange 3.5 Evaluation (possibly others)
PROBLEM
Following is based on a STAT Security Advisory. Trend Micro's
ScanMail for Exchange (version 3.5) stores the credentials of
users in the system registry with no protection. These
credentials apply to the NT domain, and include a valid NT domain
or system username, the NT domain name, and password. This occurs
in at least two places, once when the product is installed and
once for use by the Management Console. Since both installation
and management require administrative privileges, the
administrative account for the system or for the entire domain
can be compromised.
Several registry values are created during installation and during
use of the product's Management Console to store the credentials
of the last user to log on. These credentials are valid at least
on the server, and possibly valid on the entire domain depending
on the last user to log in. Additionally, these keys are created
with Everyone set to Special Access, which includes the ability to
read the values. The usernames and passwords are rolled right a
number of characters and then XOR'ed with a constant key
(0xB15A0E707EEDEB80F70FB78F1399).
For example, if the Administrators password is "test", then one of
the following values would be stored:
C53F7D04
-or-
3F7D04C5
-or-
7D04C53F
-or-
04C53F7D
The result is a possible administratative compromise of a system
(or quite possibly an entire domain).
This vulnerability was discovered and researched by Jon Maucher
and Bill Wall of Harris Corporation.
SOLUTION
Trend Micro recommends, as a temporary fix, that the following
keys (and all sub-keys) should have their permissions set to Full
Control for Administrators and SYSTEM (remove all other
permissions):
HKLM\Software\TrendMicro\ScanMail for Exchange\RemoteManagement
HKLM\Software\TrendMicro\ScanMail for Exchange\UserInfo
The vendor is implementing a new encryption method that will be
available in version 5.1 of ScanMail for Exchange.