From securityteam@DELPHISPLC.COM Mon Jul 10 02:40:04 2000 From: Security Team To: BUGTRAQ@SECURITYFOCUS.COM Date: Thu, 25 May 2000 17:39:22 +0100 Subject: DST2K0004b: Authentication issue in WebShield SMTP v4.5.44 Manage ment Tool [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] ============================================================================ ==== Delphis Consulting Plc ============================================================================ ==== Security Team Advisories [08/05/2000] securityteam@delphisplc.com ============================================================================ ==== Adv : DST2K0004b Title : Authentication issue in WebShield SMTP v4.5.44 Management Tool Author : DCIST (securityteam@delphisplc.com) O/S : Microsoft Windows NT v4.0 Server (SP6) Product : NAI WebShield SMTP v4.0.5 Date : 08/05/2000 (Updated 15/05/2000) I. Description II. Solution III. Disclaimer ============================================================================ ==== I. Description ============================================================================ ==== Delphis Consulting Internet Security Team (DCIST) discovered the following vuln- erability in the NAI Management Agent for WebShield SMTP under Windows NT. Connecting to a machine which runs the management agent on port 9999 may allow an attacker to obtain read and write access to the configuration of a WebShield SMTP server. This appears to happen, even if the the MailCfg service is set to only allow configuration to take place from "localhost" in some configurations. The configuration data appears written to the registry before the service suffers from lack of bounds checking. This information written to the registry can be used to prevent the WebShield service from being started. Update: 15/05/2000 The configuration agent uses hostname for authentication, if the server upon which the management agent is running is unable to resolve a hostname to the IP address it will allow access by default. II. Solution ============================================================================ ==== Vendor Contacted: 8-May-2000 Currently there is no vendor patch available but the following are preventative measures Delphis Consulting Internet Security Team would advise users running this service to implement. o Don't allow the service to run as SYSTEM but as a restricted user account. o Access list port 9999 on the local router or firewall to restrict access to only required machines. o Stop the management service. III. Disclaimer ============================================================================ ==== THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON, THIS INFORMATION FOR ANY PURPOSE. ============================================================================ ====