SUMMARY

Following is information received from Corsaire Limited, describing a potential risk to NetProwler customers due to a weakness in the default install configuration of the MySQL database.

"The latest version of the NetProwler intrusion detection product comes as a three-tiered architecture, consisting of agents, a management component, and a console. Both configuration and auditing information is stored within a MySQL database hosted locally on the management tier of the product. This database is exposed unnecessarily to potential network scrutiny due to being configured by default to listen to all local IP addresses."

AFFECTED PRODUCTS

Affected:
NetProwler 3.5.x, NT version

ISSUES

Details:
NetProwler version 3.5.x ships with the MySQL version 3.22.24 database. The NetProwler manager communicates with the MySQL service using named pipes. This method of communication does not require configuring the MySQL service to accept incoming connections on any port. However, MySQL version 3.22.24 is installed in a default configuration and by default, MySQL version 3.22.24 is configured to accept inbound connections on port 3306. As a result, a hacker with internal network access could potentially connect remotely to the MySQL port and compromise the NetProwler configuration database provided they knew the MySQL username and password. Access to the MySQL database would allow an attacker to modify existing entries or delete the database entirely.

MITIGATION

Solution:
NOTE: This is not a security problem with the NetProwler tool, rather with the default configuration of the accompanying MySQL database. However, due to the potential risk that an attacker could potentially bypass the MySQL password authentication scheme, Symantec has the following security configuration recommendations. In addition to ensuring default NetProwler manager and MySQL username and passwords are changed during the installation process as documented in installation instructions, Symantec recommends our customers configure their NetProwler environment to disallow the MySQL service from accepting any connections through port 3306 or the Microsoft Networking protocol NetBIOS/SMB. This will require that our customers install both the NetProwler manager and respective database on the same machine. (Note: This is the default installation.) Following these recommended guidelines will ensure that the NetProwler MySQL database will not be susceptible to a remote attack as described in the Corsaire advisory.

Verification of vulnerable configuration:

The following procedure checks if the MySQL service is configured to accept remote connections on the local machine. On the NetProwler Manager machine proceed as follows:

The following procedure checks if the MySQL service is configured to accept remote connections on the local machine. On the NetProwler Manager machine proceed as follows:

1. From the Start menu, select Program Files followed by Command Prompt.
2. At the command prompt type:
   
   netstat -a

This will display a list of services listening on the current machine. In the Local address column, if one of the lines contains -- <machine name>:3306 -- then this confirms that the default port of the MySQL service is listening on port 3306. Given this is the case, please proceed to the next steps to disable this service.

Disabling remote access to MySQL service

The MySQL service is accessible via TCP/IP on port 3306, and via SMB.

Disabling access to MySQL via TCP/IP

The following steps disable the MySQL service from listening for connections on the default port 3306.

1. Stop the NetProwler Manager and any NetProwler Consoles (if running).
2. Run Notepad.
3. Open the file c:\my.cnf
4. The file should contain two lines
   
   [mysqld]
   basedir=c:\\mysql
5. Add the line "skip-networking", so the file should look like:
   
   [mysqld]
   basedir=c:\\mysql
   skip-networking
   
   Note: Advanced users may have modified the default my.cnf that ships with NetProwler. These users need only to add the line "skip-networking" in the section noted, [mysqld], as stated above.
6. Save the file and exit notepad.

Disabling access to MySQL via SMB

1. From the Start menu, choose Control Panel
2. Double-click the Services icon.
3. Select Computer Browser from the list of services. Click the Startup button. Set the Startup Type to "Disabled" and click Ok.
4. Repeat Step 3, for the Server service.
5. Restart the workstation.

Validation of removal for remote access to MySQL

The following procedure checks if the MySQL service is configured to accept remote connections on the local machine. On the NetProwler Manager machine proceed as follows:

• 1. From the Start menu, select Program Files followed by Command Prompt. At the command prompt type:
  
  netstat -a
  
  This will display a list of services listening on the current machine. In the Local address column, if one of the lines does not contain: <machine name>:3306., this confirms that the default port of the MySQL service listening on port 3306 has been successfully removed.

ACKNOWLEDGEMENTS

Symantec wishes to thank Martin O'Neil of Corsaire Limited, for his excellent coordination in identifying and helping resolve this issue