COMMAND

    Tivoli Management Framework

SYSTEMS AFFECTED

    Tivoli Management Framework

PROBLEM

    Duct  Tape  posted  following.   After  conducting the penetration
    testing,  he  was  able  to  gain  full  access  to other machines
    inside a customer's dmz network because of Tivoli.

    Cisco PIX firewall protecting a set of Internet Web and database
    servers from the Internet  in a dmz.   The PIX also protected  the
    internal machines  from the  Internet.   The machines  in the  dmz
    were  both  NT  and  Unix.   The  internal  network  had  a Tivoli
    management station which monitored  the dmz machines and  internal
    machines.

    He was able to break into  an IIS server that hadn't been  patched
    for  the  CGI  decode  vulnerability.   With this vulnerability he
    could upload an exec program  on Windows where he could  spoof the
    name and IP  address of the  sending machine.   With this tool  he
    could send  commands to  all other  Unix machines  in the same dmz
    that  would  be  executed  under  the  permissions  of  the Tivoli
    management station.

    Tivoli requires Rexec  (port 512) to  run on their  managed hosts.
    When these hosts  are connected to  the Internet, there  is a huge
    risk Tivoli will allow full access to all machines in your DMZ.

SOLUTION

    Tivoli requires rexec during the initial install of the  framework
    only.  For the  brief time it takes  to install this (single  time
    operation) one can disallow Internet connectivity.   What  happens
    is that individuals  who install Tivoli  sometimes forget to  stop
    the  service  once  the  framework  is installed, and/or forget to
    re-edit inetd.conf, so... the next time the system is restarted...