[VIM] Vendor ACK for NeuSecure/Netcool issues

Steven M. Christey coley at mitre.org
Tue Mar 14 17:02:29 EST 2006 

I just talked with Jimmy Alderson, now at IBM, about the various
NeuSecure/Netcool issues (CVEs below).  They do not have any formal
public acknowledgement, but fixes for the issues are available to
their customers.

- Steve


======================================================
Name: CVE-2006-0837
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0837
Acknowledged: yes via-phone
Announced: 20060216
Flaw: perm
Reference: BUGTRAQ:20060216 Password disclosure and remote access in Netcool/NeuSecure Security information management platform
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/425304/100/0/threaded
Reference: FULLDISC:20060216 Password disclosure and remote access in Netcool/NeuSecure Security information management platform
Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0364.html
Reference: BID:16700
Reference: URL:http://www.securityfocus.com/bid/16700
Reference: OSVDB:23270
Reference: URL:http://www.osvdb.org/23270
Reference: SECTRACK:1015642
Reference: URL:http://securitytracker.com/id?1015642
Reference: SECUNIA:18922
Reference: URL:http://secunia.com/advisories/18922

IBM Tivoli Micromuse Netcool/NeuSecure 3.0.236 has world-readable
permissions for (1) /etc/neusecure.conf, (2)
/opt/NeuSecure/etc/cms-3.0.236.buildconf, and (3)
/opt/NeuSecure/bin/ns_archiver.log, which allows local users to read
sensitive information such as passwords.  NOTE: IBM has privately
confirmed to CVE that a fix is available for these issues.


Analysis:
ACCURACY: By "remote access," the researcher means that a local user
could find a password that can be used for a separate remote session.

ACKNOWLEDGEMENT: Jimmy Alderson confirmed this issue with Steve
Christey by phone on March 14, 2006.


======================================================
Name: CVE-2006-0838
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0838
Acknowledged: yes via-phone
Announced: 20060216
Flaw: crypt
Reference: BUGTRAQ:20060216 Password disclosure and remote access in Netcool/NeuSecure Security information management platform
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/425304/100/0/threaded
Reference: FULLDISC:20060216 Password disclosure and remote access in Netcool/NeuSecure Security information management platform
Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0364.html
Reference: BID:16698
Reference: URL:http://www.securityfocus.com/bid/16698
Reference: OSVDB:23270
Reference: URL:http://www.osvdb.org/23270
Reference: OSVDB:23271
Reference: URL:http://www.osvdb.org/23271
Reference: SECTRACK:1015642
Reference: URL:http://securitytracker.com/id?1015642
Reference: SECUNIA:18922
Reference: URL:http://secunia.com/advisories/18922

IBM Tivoli Micromuse Netcool/NeuSecure 3.0.236 stores cleartext
passwords in the (1) CMS_DBPASS, (2) CMSM_DBPASS, and (3) RPT_DBPASS
fields in /etc/neusecure.conf, and in (4)
/opt/NeuSecure/bin/ns_archiver.log, which allows local users to gain
privileges.  NOTE: IBM has privately confirmed to CVE that a fix is
available for these issues.


Analysis:
ACCURACY: By "remote access," the researcher means that a local user
could find a password that can be used for a separate remote session.

ACKNOWLEDGEMENT: Jimmy Alderson confirmed this issue with Steve
Christey by phone on March 14, 2006.


======================================================
Name: CVE-2006-1210
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1210
Acknowledged: yes via-phone
Announced: 20060308
Flaw: other
Reference: BUGTRAQ:20060308 Remote access to NeuSecure/Netcool backend database via web interface credentials leakage
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/427155/100/0/threaded

The web interface for IBM Tivoli Micromuse Netcool/NeuSecure 3.0.236
includes the MySQL database username and password in cleartext in
body.phtml, which allows remote attackers to gain privileges by
reading the source.  NOTE: IBM has privately confirmed to CVE that a
fix is available for these issues.


Analysis:
ACKNOWLEDGEMENT: Jimmy Alderson confirmed this issue with Steve
Christey by phone on March 14, 2006.


======================================================
Name: CVE-2006-1211
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1211
Acknowledged: yes via-phone
Announced: 20060308
Flaw: other
Reference: BUGTRAQ:20060308 Remote access to NeuSecure/Netcool backend database via web interface credentials leakage
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/427155/100/0/threaded

IBM Tivoli Micromuse Netcool/NeuSecure 3.0.236 configures a MySQL
database to allow connections from any source IP address with the ns
database account, which allows remote attackers to bypass the
Netcool/NeuSecure application layer and perform unauthorized database
actions.  NOTE: IBM has privately confirmed to CVE that a fix is
available for these issues.


Analysis:
ACKNOWLEDGEMENT: Jimmy Alderson confirmed this issue with Steve
Christey by phone on March 14, 2006.

More information about the VIM mailing list