Multiple security information disclosure paths and remote access Netcool/NeuSecure Security information management platform .
Cleartext-storage of passwords in the configuration file Cleartext reporting of user password in the log Default backend Mysql database user and remote access. Laxed filesystem permissions and id/password leak.
Netcool/NeuSecure is a security information management (SIM) platform designed to improve the effectiveness, efficiency and visibility of security operations and information risk management. The solution centralizes and stores security data from throughout the enterprise, automating incident recognition and response, streamlining incident handling, enabling policy monitoring enforcement and providing comprehensive reporting for regulatory compliance. The centralization and automation of these functions results in reduced costs of security and IT operations
Vendor communication history.
Feb 3 contacted email@example.com asking to log a support call. was promptly redirected to firstname.lastname@example.org Feb 3 email explaining vulnerability sent to email@example.com. Prompt automated response. Feb 3 Ticket is opened with tag: Insufficient customer information. Need customer id, support contract number and environment description. Due to the nature of this independent research, such information is not available or cannot be provided to the support. Feb 3 Second request for customer information in order to successfully log the issue. I stated one more time that any technical, non-customer related information can and will be provided. Feb 6 Third request for customer information. And once more, I explained the situation willing to give any information not pertaining to the customer. Ticket is downgraded to lower priority. Feb 16 Ticket is apparently closed. Disclosing to the list.
JReports-NeuSecure-3.0.236-1 common-NeuSecure-3.0.236-1 cms-NeuSecure-3.0.236-1
-rw-r--r-- 1 ns ns 1228 Feb 3 10:25 /etc/neusecure.conf drwxr-xr-x 15 ns ns 4096 Dec 1 12:43 /opt/NeuSecure drwxr-xr-x 2 ns ns 4096 Jan 9 21:42 /opt/NeuSecure/etc/ -rw-r--r-- 1 ns ns 1334 Nov 16 18:44 /opt/NeuSecure/etc/cms-3.0.236.buildconf
/etc/neusecure.conf ORACLE_HOME= CMS_DBHOST=localhost CMS_DBNAME=xxx CMS_DBUSER=ns CMS_DBPASS=nsl0ck CMS_DBTYPE=mysql CMSM_DBHOST=localhost CMSM_DBNAME=xxxxx CMSM_DBUSER=ns CMSM_DBPASS=nsl0ck FULL_REPORTS_STACKTRACE=true JAVA_HEAP_SIZE=-Xmx256M AAM=1 VULN_MEM=256
RPT_DBHOST=reportserver RPT_DBNAME=xxxx RPT_DBUSER=ns RPT_DBPASS=nsl0ck RPT_DBTYPE=mysql
-rw-rw-r-- 1 ns ns 5102 Jan 9 12:17 /opt/NeuSecure/./bin/ns_archiver.log
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Building NSSQLConnection "CMS Connection" type = mysql name = nsdbp [1136830628.351]NSSQLConnection::NSSQLConnection => building mysql connection to: hostString = "/tmp/mysql.sock@nsdbp" user = "ns" pass = "nsl0ck" [1136830628.356]connected successfully! [1136830628.356]Connected using UNIX socket:/tmp/mysql.sock
trivial to connect to backend ....
Unfortunately, you cannot avoid storing cleartext passwords by changing configuration options. This should be reworked by the vendor. Default password can be changed, but is still cleartext in the configuration file.
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/