WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec
8 May, 2001
Symantec NetProwler 3.5.x MySQL database configuration allows possible remote access

Affected:
NetProwler 3.5.x, NT version

Overview:
Following is information received from Corsaire Limited, describing a potential risk to NetProwler customers due to a weakness in the default install configuration of the MySQL database.

"The latest version of the NetProwler intrusion detection product comes as a three-tiered architecture, consisting of agents, a management component, and a console. Both configuration and auditing information is stored within a MySQL database hosted locally on the management tier of the product. This database is exposed unnecessarily to potential network scrutiny due to being configured by default to listen to all local IP addresses."

Details:
NetProwler version 3.5.x ships with the MySQL version 3.22.24 database. The NetProwler manager communicates with the MySQL service using named pipes. This method of communication does not require configuring the MySQL service to accept incoming connections on any port. However, MySQL version 3.22.24 is installed in a default configuration and by default, MySQL version 3.22.24 is configured to accept inbound connections on port 3306. As a result, a hacker with internal network access could potentially connect remotely to the MySQL port and compromise the NetProwler configuration database provided they knew the MySQL username and password. Access to the MySQL database would allow an attacker to modify existing entries or delete the database entirely.

Risk Impact:
Medium

Solution:
NOTE: This is not a security problem with the NetProwler tool, rather with the default configuration of the accompanying MySQL database. However, due to the potential risk that an attacker could potentially bypass the MySQL password authentication scheme, Symantec has the following security configuration recommendations. In addition to ensuring default NetProwler manager and MySQL username and passwords are changed during the installation process as documented in installation instructions, Symantec recommends our customers configure their NetProwler environment to disallow the MySQL service from accepting any connections through port 3306 or the Microsoft Networking protocol NetBIOS/SMB. This will require that our customers install both the NetProwler manager and respective database on the same machine. (Note: This is the default installation.) Following these recommended guidelines will ensure that the NetProwler MySQL database will not be susceptible to a remote attack as described in the Corsaire advisory.

Verification of vulnerable configuration:

The following procedure checks if the MySQL service is configured to accept remote connections on the local machine. On the NetProwler Manager machine proceed as follows:

The following procedure checks if the MySQL service is configured to accept remote connections on the local machine. On the NetProwler Manager machine proceed as follows:

  1. From the Start menu, select Program Files followed by Command Prompt.
  2. At the command prompt type:

    netstat -a

This will display a list of services listening on the current machine. In the Local address column, if one of the lines contains -- <machine name>:3306 -- then this confirms that the default port of the MySQL service is listening on port 3306. Given this is the case, please proceed to the next steps to disable this service.

Disabling remote access to MySQL service

The MySQL service is accessible via TCP/IP on port 3306, and via SMB.

Disabling access to MySQL via TCP/IP

The following steps disable the MySQL service from listening for connections on the default port 3306.

  1. Stop the NetProwler Manager and any NetProwler Consoles (if running).
  2. Run Notepad.
  3. Open the file c:\my.cnf
  4. The file should contain two lines

    [mysqld]
    basedir=c:\\mysql

  5. Add the line "skip-networking", so the file should look like:

    [mysqld]
    basedir=c:\\mysql
    skip-networking


    Note: Advanced users may have modified the default my.cnf that ships with NetProwler. These users need only to add the line "skip-networking" in the section noted, [mysqld], as stated above.
  6. Save the file and exit notepad.

Disabling access to MySQL via SMB

  1. From the Start menu, choose Control Panel
  2. Double-click the Services icon.
  3. Select Computer Browser from the list of services. Click the Startup button. Set the Startup Type to "Disabled" and click Ok.
  4. Repeat Step 3, for the Server service.
  5. Restart the workstation.

Validation of removal for remote access to MySQL

The following procedure checks if the MySQL service is configured to accept remote connections on the local machine. On the NetProwler Manager machine proceed as follows:

  • 1. From the Start menu, select Program Files followed by Command Prompt. At the command prompt type:

    netstat -a

    This will display a list of services listening on the current machine. In the Local address column, if one of the lines does not contain: <machine name>:3306., this confirms that the default port of the MySQL service listening on port 3306 has been successfully removed.

Credit: Symantec wishes to thank Martin O'Neil of Corsaire Limited, for his excellent coordination in identifying and helping resolve this issue.


Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).

Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the end of this message.

Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.

Symantec-Product-Vulnerability-Response Symantec Vulnerability Response Policy Symantec Product Vulnerability Management PGP Key Symantec Product Vulnerability Management PGP Key


Copyright (c) 2009 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.


Last modified on: Monday, 25-Oct-04 21:39:54