[13351] in bugtraq
Re: Password issue in Axent ESM 5.0.1 Console
daemon@ATHENA.MIT.EDU (Scott Blake)
Fri Jan 14 22:31:11 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <000f01bf5ea7$4bb3b0c0$eb85e9c0@blackship.bos.bindview.com>
Date: Fri, 14 Jan 2000 10:52:01 -0500
Reply-To: Scott Blake <blake@BOS.BINDVIEW.COM>
From: Scott Blake <blake@BOS.BINDVIEW.COM>
X-To: Todd <todd@aggies.org>, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <004701bf5d59$ba7ab660$31881a18@columbus.rr.com>
I don't understand what the security issue is here. Sounds like ESM is
doing a good thing by passwording the console, but has a bug in the
password change code. If they're using the MS Access native security,
recovering the password is trivial, so in essence there is no security
there at all. One could make a case that there should be, but the bug in
password changing is hardly relevant to that. Finally, tech support's
recommendation that the password be removed from the DB is perfectly
reasonable when you consider that it is utterly useless anyway.
-----
Scott Blake
blake@bos.bindview.com
Security Program Manager
BindView Corporation
>-----Original Message-----
>From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of Todd
>Sent: Wednesday, January 12, 2000 7:04 PM
>To: BUGTRAQ@SECURITYFOCUS.COM
>Subject: Password issue in Axent ESM 5.0.1 Console
>
>
>Axent's latest release of its ESM product was redesigned and supposedly
>revamped around it's new "Management Console". The new
>management console
>is based on an underlying Access Database. The console is password
>protected each time the application is launched. However, when the user
>wants to change the console password, the next time the application is
>launched the database is inaccessible because the code does not
>update the
>password on the database file. It is reported that contact of Axent
>resulted in being told to launch the MS Access DB file and
>disable password
>checking.
>
