http://xforce.iss.net/alerts/advise29.php3 ISS Security Advisory June 29, 1999 Bad Permissions on Passwords Stored by WebTrends Software Synopsis: Internet Security Systems (ISS) X-Force has discovered a security hole in many WebTrends products that allows access to service account and MAPI usernames and passwords. WebTrends specializes in providing enterprise management solutions software. Most WebTrends software provides the capability to run at startup as a Windows NT service and use a MAPI profile to send reports via e-mail. All of the vulnerable programs store the NT service account and password, as well as the MAPI profile name and password, in a file with 'Everyone: Full Access' permissions. Remote and local attackers can discover the service account username and password (which, by definition, has to be an Administrator account) and the MAPI profile name and password. The file is in the installation directory and is called 'WebTrend.INI'. Although the password is encrypted, the encryption algorithm is simple and the password can be easily decoded. Description: The vulnerability only applies to systems using the MAPI and NT service features in the following or earlier versions of the applications currently identified as vulnerable by ISS X-Force: WebTrends for Firewalls v1.2, WebTrends Security Analyzer v2.0, WebTrends Professional Suite v3.01, WebTrends Log Analyzer v4.51, and WebTrends Enterprise Suite v3.5. All applications run on the Windows NT platform. Recommendations: If you use the MAPI or NT service feature in any of the vulnerable products, install the latest versions of the product that include the 128-bit encryption algorithm. These versions include: WebTrends for Firewalls v1.2b Build 4163, WebTrends Security Analyzer v2.1a Build 8043, WebTrends Professional Suite v3.01a Build 4053, WebTrends Log Analyzer v4.51a Build 4108, and WebTrends Enterprise Suite v3.5a Build 4212. In addition, ISS X-Force and WebTrends recommend that you modify the ACL settings to an appropriate level of security for the user of that system. Specifically, remove the 'Everyone: Full Control' permission and add 'Administrators: Full Control', so only administrators have access to the file. To do this, open the directory for the application in Windows NT Explorer, right click on WebTrends.INI, go to 'Properties', select the 'Security' tab, and click the 'Permissions' button. There will be a dialog that will allow you to adjust the permissions on the file. Customers who are not able to download the most recent versions should not use the MAPI and NT Service options in WebTrends products. Credits: This vulnerability was discovered by Internet Security Systems and researched by the ISS X-Force. ISS appreciates the assistance and contributions of individuals at WebTrends. __________ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail [11]xforce@iss.net for permission. About ISS ISS is the pioneer and leading provider of adaptive network security software delivering enterprise-wide information protection solutions. ISS' award-winning SAFEsuite family of products enables information risk management within intranet, extranet and electronic commerce environments. By combining proactive vulnerability detection with real-time intrusion detection and response, ISS' adaptive security approach creates a flexible cycle of continuous security improvement, including security policy implementation and enforcement. ISS SAFEsuite solutions strengthen the security of existing systems and have dramatically improved the security posture for organizations worldwide, making ISS a trusted security advisor for firms in the Global 2000, 21 of the 25 largest U.S. commercial banks and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at [12]www.iss.net. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: [13]http://www.iss.net/xforce/sensitive.html, as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: [14]http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force <[15]xforce@iss.net> of Internet Security Systems, Inc. [16]News | [17]Serious Fun | [18]Mail Lists | [19]Security Library [20]Protoworx | [21]Alerts | [22]Submissions | [23]Feedback [24]Advanced Search [25]About the Knowledge Base Copyright ©1994-1998 Internet Security Systems, Inc. All Rights Reserved. Sales Inquiries: [26]sales@iss.net 6600 Peachtree-Dunwoody Rd · Bldg 300 · Atlanta, GA 30328 Phone (678) 443-6000 · Fax (678) 443-6477 Read our [27]privacy guidelines. References 1. http://xforce.iss.net/news.php3 2. http://xforce.iss.net/seriousfun/ 3. http://xforce.iss.net/maillists/ 4. http://xforce.iss.net/library/ 5. http://xforce.iss.net/protoworx/ 6. http://xforce.iss.net/alerts/ 7. http://xforce.iss.net/submission.php3 8. http://xforce.iss.net/feedback.php3 9. http://xforce.iss.net/search.php3 10. http://xforce.iss.net/alerts/alerts.php3 11. mailto:xforce@iss.net 12. http://www.iss.net/ 13. http://www.iss.net/xforce/sensitive.html 14. http://xforce.iss.net/ 15. mailto:xforce@iss.net 16. http://xforce.iss.net/news.php3 17. http://xforce.iss.net/seriousfun/ 18. http://xforce.iss.net/maillists/ 19. http://xforce.iss.net/library/ 20. http://xforce.iss.net/protoworx/ 21. http://xforce.iss.net/alerts/ 22. http://xforce.iss.net/submission.php3 23. http://xforce.iss.net/feedback.php3 24. http://xforce.iss.net/search.php3 25. http://xforce.iss.net/about.php3 26. http://xforce.iss.net/cgi-bin/getSGIInfo.pl 27. http://xforce.iss.net/privacy.php3