Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

NetIQ.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 23 Views

AppManager 2.0 exposes passwords in clear text during authentication and in job properties.

Code
`AppManager 2.0 from NetIQ displays passwords in clear text!  
  
AppManager is a product which enables an enterprise to monitor the performance and   
availability of Windows NT server services such as Exchange, SQL, etc. It does this   
via an agent on the target machine which reports back to a console. The agents monitor   
for things like low disk space, misbehaving services, and so on. Like most products that   
follow a manager/agent architecture, the agents must use an account with Administrator   
privileges in order to do their job. The problem is that when the authentication occurs,   
the userid and password are passed in clear text, meaning that anyone with a sniffer can   
read it as it goes across the wire.  
  
The other problem is that when someone with access to the AppManager console goes to look  
at a job, all he or she must do is right-click on the job, select Properties, select the   
View tab, and voila! The userid and password that the job is using is right there for all   
to see. With version 3.0 they have replaced the password with asterisks, but the company   
conceded that if someone were to copy the asterisks and paste them into a text file then the   
password would be displayed instead of the asterisks! More security through obscurity.  
  
The only fix so far is for an AppManager administrator to go into the Properties and   
manually backspace over the password to remove it. Once this is done it will not appear   
again on any of the consoles. However, if an "agent installation" job is run, the password  
WILL be displayed in Properties, but only for the duration on the install, which is usually  
between ten and fifteen minutes. There is currently no way to prevent this.  
  
According to the company this is a "known issue." After some more discussion I found that  
they have known about this for two years, yet apparently have not done anything to rectify   
it. They said that encrypting the authentication sequence traffic is difficult to do   
which is one of the reasons why they haven't fixed it yet. If their programmers can't   
figure out in two years how to encrypt traffic then I think a another product should be  
chosen.  
  
-- Anonymous  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
clear text passwordappmanager securityauthentication issueknown vulnerabilityadministrator privilegesjob propertiesagent installation
23