lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20090821170016.GN20646@cisco.com>
Date: Fri, 21 Aug 2009 13:00:16 -0400
From: Eloy Paris <elparis@...co.com>
To: ryan.wessels@...ler.com
Cc: bugtraq@...urityfocus.com, psirt@...co.com
Subject: Re: Clear Text Storage of Password in CS-MARS v6.0.4 and Earlier

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ryan,

On Fri, Aug 21, 2009 at 09:24:18AM -0600, ryan.wessels@...ler.com wrote:

> 1. First after logging onto the console either pnlog mailto, or pnlog
> scpto will send the logs off of the box to a destination you specify,
> you can also display the logs using pnlog show.

[...]

> 3. Now executing grep for a portion of the password that MARS uses to
> access Windows Devices (password masked with ####). We can see that in
> this case every iterration of sysbacktrace.X containes 30 occurances
> of our password (95 files 30 occurances each = 2,850 occurances of our
> password):

[...]

> 5. Granted access to the sysbacktrace logs is only possible with
> ssh access to the box however these logs if attached to a support
> ticket through email are sent in the clear, or if these log files are
> routinely dumped and stored the password is avliable in clear text.
> Additionally in most cases MARS will be monitoring Active Directory
> data in order to access Domain Controllers 'Domain Admin' rights must
> be included in the account.

This is definitely a bug; we should not be sending any passwords to any
log file. I've filed Cisco Bug CSCtb52450 ("Passwords in CS-MARS log
files") against CS-MARS so this problem is taken care of. People can
monitor progress of this bug via the Cisco Bug Toolkit on cisco.com at:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb52450

Note that since the bug has just been created it has not yet propagated
to the Cisco Bug Toolkit application, so it is not currently visible
there. It should become visible within the next 24 hours.

Thanks for the report, and please let me know if you have any questions
or concerns.

Cheers,

- -- 

Eloy Paris
Cisco Product Security Incident Response Team (PSIRT)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqO0qAACgkQagjTfAtNY9hpqgCcDk4ruXQJawvZvu3AOBMmk6Gv
14IAn1LSuLRaF5NpiT4EJRYESOdzqgjJ
=7zeb
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ