MAJOR SECURITY HOLE IN BUILD 4030

You are in : Recent Topics » EventLog Analyzer » MAJOR SECURITY HOLE IN BUILD 4030

MAJOR SECURITY HOLE IN BUILD 4030

Anonymous

on 01-Nov-2007 12:29 AM.

EventLog Analyzer build 4030 for Windows (and possibly Unix/Linux) ships with an alarming and glaringly obvious security hole. The mysql instance is configured by default to accept remote connections, and again, by default uses a username of "root" with a blank password. The implications of this should be fairly obvious to anyone reading this post, and SHOULD have been obvious to the Adventnet developers. Any attacker, having compromised a host with network access to the EventLog Analyzer host would be able to alter logs at will in order to cover their tracks. Obviously, this also applies to a direct compromise of the EventLog Analyzer host, though that introduces a whole different set of issues. Furthermore, there is the possibility of an attacker using this unrestricted access as leverage to compromise the EventLog Analyzer host itself by taking advantage of any flaws in mysql, or it's configuration.

All users should immediately take steps to prevent remote connections by using a host based firewall to filter inbound traffic to TCP port 33335.

Moderator,

This information will be released to Bugtraq in 60 days. It will be released immediately if you fail to approve this post within 4 hours.

No status

Reply to this discussion

ajay

on 01-Nov-2007 05:49 PM

Hi,

Thanks for bringing this to our notice. This default behaviour can be altered by doing the below configuration changes.

You can add password to the existing mysql server.
You can drop mysql connections that are made from other machines.

Please do contact us at support@eventloganalyzer.com if you need any assistance in performing the above suggested configurations.

In most of the cases, this tool will be deployed within the LAN and hence outside attackers have to compromise the LAN before getting access to mysql.

Regards
Ajay