[UNIX] Netcool/NeuSecure Multiple Information Disclosure

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Netcool/NeuSecure Multiple Information Disclosure
------------------------------------------------------------------------


SUMMARY

" <http://www.micromuse.com/sols/dom_man/sec_man.html> Netcool/NeuSecure
is a security information management (SIM) platform designed to improve
the effectiveness, efficiency and visibility of security operations and
information risk management."

Improper permission handling and clear text storage allow attackers to
gain database and program passwords and remotely access Netcool/NeuSecure.

DETAILS

Vulnerable Systems:
* JReports-NeuSecure-3.0.236-1
* common-NeuSecure-3.0.236-1
* cms-NeuSecure-3.0.236-1

Default build of Netcool/NeuSecure has fixed directory permissions which
may lead to a regular user viewing configuration files containing
passwords.

-rw-r--r-- 1 ns ns 1228 Feb 3 10:25
/etc/neusecure.conf
drwxr-xr-x 15 ns ns 4096 Dec 1 12:43 /opt/NeuSecure
drwxr-xr-x 2 ns ns 4096 Jan 9 21:42
/opt/NeuSecure/etc/
-rw-r--r-- 1 ns ns 1334 Nov 16 18:44
/opt/NeuSecure/etc/cms-3.0.236.buildconf

Netcool/NeuSecure also store cleartext passwords in the configuration file
/etc/neusecure.conf:

/etc/neusecure.conf
ORACLE_HOME=
CMS_DBHOST=localhost
CMS_DBNAME=xxx
CMS_DBUSER=ns
CMS_DBPASS=nsl0ck
CMS_DBTYPE=mysql
CMSM_DBHOST=localhost
CMSM_DBNAME=xxxxx
CMSM_DBUSER=ns
CMSM_DBPASS=nsl0ck
FULL_REPORTS_STACKTRACE=true
JAVA_HEAP_SIZE=-Xmx256M
AAM=1
VULN_MEM=256
###########################
# JReports Config Variables #
###########################
RPT_DBHOST=reportserver
RPT_DBNAME=xxxx
RPT_DBUSER=ns
RPT_DBPASS=nsl0ck
RPT_DBTYPE=mysql
#RPT_DBHOST

Netcool/NeuSecure also store cleartext reporting of the <ns> user
password in the log viewable by an unprivileged user which leads to direct
mysql database connection and authentication with possibility to dump
users and passwords from the 'auth' table:

-rw-rw-r-- 1 ns ns 5102 Jan 9 12:17 /opt/NeuSecure/./bin/ns_archiver.log

Building NSSQLConnection "CMS Connection" type = mysql name = nsdbp
[1136830628.351]NSSQLConnection::NSSQLConnection => building mysql
connection to: hostString = "/tmp/mysql.sock@nsdbp" user = "ns" pass =
"nsl0ck"
[1136830628.356]connected successfully!
[1136830628.356]Connected using UNIX socket:/tmp/mysql.sock

Workaround:
* Change file read and write permission for only trusted users.
* Change database permission to allow only trusted users access.

Disclosure Timeline:
Feb 3 contacted customer.relations@xxxxxxxxxxxxx asking to log a support
call. was promptly redirected to support@xxxxxxxxxxxxx
Feb 3 email explaining vulnerability sent to support@xxxxxxxxxxxxxx
Prompt automated response.
Feb 3 Ticket is opened with tag: Insufficient customer information. Need
customer id, support contract number and environment description. Due to
the nature of this independent research, such information is not available
or cannot be provided to the support.
Feb 3 Second request for customer information in order to successfully
log the issue. I stated one more time that any technical, non-customer
related information can and will be provided.
Feb 6 Third request for customer information. And once more, I explained
the situation willing to give any information not pertaining to the
customer. Ticket is downgraded to lower priority.
Feb 16 Ticket is apparently closed. Disclosing to the list.


ADDITIONAL INFORMATION

The information has been provided by <mailto:dsnezhkov@xxxxxxxxx>
D.Snezhkov.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages