<Response from the Okena Team> Background: StormWatch is a security product that uses a central database to hold security configuration information that is used to control a number of security agents. In the text below, the server refers to the StormWatch central database server. The issue reported in the bugtraq message "Missing admin sql password in Okena StormWatch" -- null "sa" password permits anybody to connect to the StormWatch database -- has been studied. The StormWatch product install ensures that the "sa" user password is set to a random value. It also sets the database authentication type to "windows". This latter step prevents all users from connecting to the database unless they are the local windows administrator and they use their windows credentials. During a database upgrade (say moving from MSDE sp1 to MSDE sp2), the "sa" user password is reset to null. However, the authentication type remains "windows" which prevents any user from using the "sa" account. We received more information about the reported issue that said that a local administrator had access to the database via ODBC, with no password being entered. This is the expected behavior as the local windows administrator has full access to the database for maintenance purposes. The null "sa" password was perceived to be the reason why no password was required, but the real reason was that the local administrator credentials were being used to access the database. The StormWatch documentation states that the server should be physically secure and that unauthorized users should not have accounts on that system. The default security policies that are applied to the server prevent any remote access to the system (apart from our Web based management interface). After reviewing this information, we do not believe that any vulnerability exists for StormWatch customers if no unauthorized user has the server's Administrator password. However, for 'defense in depth' reasons, we recommend that the "sa" password be set to an unknown value. StormWatch customers can contact supportat_private for instructions to set the "sa" password. Thanks to Mario Robic for providing additional information about this issue. Bugs or security issues should be reported to supportat_private or securityat_private If StormWatch customers have any additional questions, they should contact supportat_private -----Original Message----- From: Marc Ruef [mailto:marc.ruefat_private] Sent: Wednesday, December 18, 2002 2:06 AM To: bugtraqat_private; submissionsat_private; newsat_private Subject: Missing admin sql password in Okena StormWatch Hi! I was working with Okena StormWatch[1] - a really interesting commercial intrusion prevention product - and saw that there is the SQL password for the admin account (sa) missing. With a SQL client and a blank password it's possible for everyone who can connect to the manager to compromise the whole system/network. My notification was sent on Fri, 15 Nov 2002 14:21:01 +0100 to infoat_private - Nothing came back. Thanks to Mario Robic for helping discovering this problem. Bye, Marc [1] http://www.okena.com -- Computer, Technik und Security http://www.computec.ch
This archive was generated by hypermail 2b30 : Thu Dec 19 2002 - 19:32:04 PST