COMMAND

    Tumbleweed Worldsecure (MMS)

SYSTEMS AFFECTED

    Tumbleweed Messaging Management System (MMS) (Formerly Worldtalk Worldsecure) Version: 4.3 - 4.5 (all builds)

PROBLEM

    'NT  HATER  '  recently  discovered  the  following vulnerability.
    Product  uses  Microsoft's  MSDE  (Database  engine)  which  is  a
    stripped down  version of  the Microsoft  SQL server  7.0.  During
    the setup stage, you are never asked for the 'sa' account password
    which may led  us to think  that application is  either generating
    a random password  every time it  installs or the  password is the
    same for all installations.   Well, after further research it  was
    discovered that  the password  is left  BLANK!!!   This is  a huge
    remotely  exploitable  vulnerability.    After  someone   remotely
    connects to the database (with 'sa' account and NO PASSWORD) he is
    able to delete the  databases (denial of service,  product becomes
    unusable)   and   modify   the   data   (customer    certificates,
    configuration of the product, logs, etc.).

SOLUTION

    So  long  as  the  installation  instructions  have you change the
    password prior to putting the machine in to production, it is  not
    to blame this on either Microsoft or Tumbleweed.  After all,  even
    Oracle Enterprise (as  well as all  other Oracle's) gives  the sys
    and system users well-known passwords  at install time.  It  is up
    to a  competent administrator  to change  those passwords  or else
    risk the inevitable.

    Tumbleweed has known about this for  a while now, but has made  no
    public announcement.  The 'workaround' the proposed was to  assign
    an 'sa' password, but that seems to break the product.

    For official response, see:

        http://thompson.tumbleweed.com/NewKB/bulletin/UPFiles/sa-official.htm