EventLog Analyzer build 4030 for Windows (and possibly Unix/Linux) ships with an alarming and glaringly obvious security hole. The mysql instance is configured by default to accept remote connections, and again, by default uses a username of "root" with a blank password. The implications of this should be fairly obvious to anyone reading this post, and SHOULD have been obvious to the Adventnet developers. Any attacker, having compromised a host with network access to the EventLog Analyzer host would be able to alter logs at will in order to cover their tracks. Obviously, this also applies to a direct compromise of the EventLog Analyzer host, though that introduces a whole different set of issues. Furthermore, there is the possibility of an attacker using this unrestricted access as leverage to compromise the EventLog Analyzer host itself by taking advantage of any flaws in mysql, or it's configuration.

All users should immediately take steps to prevent remote connections by using a host based firewall to filter inbound traffic to TCP port 33335.

Moderator,

This information will be released to Bugtraq in 60 days. It will be released immediately if you fail to approve this post within 4 hours.