SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   HPE Systems Insight Manager Vendors:   Compaq
Compaq Insight Manager May Include a Vulnerable Default Configuration of Microsoft MSDE/SQL Server That Allows Remote Users to Execute Commands on the System
SecurityTracker Alert ID:  1004541
SecurityTracker URL:  http://securitytracker.com/id/1004541
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 14 2002
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Insight Manager XE (version 1.1 and later), Insight Manager 7 (all versions)
Description:   Compaq issued an advisory for their Insight Manager based on underlying configuration flaws in Microsoft SQL Server. A remote user may be able to execute arbitrary commands on the system.

Compaq noted the the MSDE/SQL Server may be configured by default with an account named "sa" with no password. According to the report, broad-based attacks on sites running Microsoft's SQL Server have been observed by many security research groups and reported by CERT/CC.

The MSDE capability was included on the Compaq Management CD beginning with the release of Compaq Insight Manager XE 1.1. However it is apparently not installed as part of the Compaq Insight Manager installation program.

Compaq reports that the Insight Manager installation process recommends that the "sa" account be set upon installation and that default installations of MSDE from the Compaq Management CD (or the Insight Manager 7 softpaq's) are not properly secured unless the administrator takes explicit manual actions to secure it.

A remote user could gain access to the server and execute shell commands on the server.

Impact:   A remote user could connect to the SQL port and execute arbitrary SQL commands, including operating system shell commands.
Solution:   The resolution is to change the default null password for the MSDE 'sa' account using the following steps described by Compaq:

"o Log into Insight Manager 7 as an administrator (prior to changing in MSDE ), click on Settings>Server>Database, change the "SA" password to your new password for the database. Note: A typical secure password for the database account should be greater than six characters and contain alpha and numeric characters.

o Stop the Insight Manager 7 service. Open a command window and navigate to the MSSQL7 directory

o Type osql -Usa -P (this will log you on with the blank password provided the default password was not changed during installation)

o Type sp_password @old="", @new= <choose-a-new-password-here>, @loginame = sa (Note: no space between the double quotes)

o Type go

o You will get a "Password changed." Message

o Type exit

o Restart the Insight Manager 7 service. It should login and run with the new password. Note: If the password was not changed successfully, then the Insight Manager 7 service will stop. At this time, call Compaq Customer Support in to resolve the situation."

For further information, Compaq recommends that you contact HP Services.

Vendor URL:  www.compaq.com/ (Links to External Site)
Cause:   Configuration error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [bulletin] (SSRT2195) Compaq Insight Manager & Potential SQL Server /MSDE Security Vulnerability


Priority: Urgent
Importance: high
From: "Boren, Rich (SSRT)" <Rich.Boren@hp.com>
To: "Security Patch Mailing List" <security@list.support.compaq.com>
X-OriginalArrivalTime: 14 Jun 2002 17:21:44.0540 (UTC) FILETIME=[F4BF69C0:01C213C7]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(SSRT2195) Compaq Insight Manager & Potential SQL Server
           /MSDE Security Vulnerability

REVISION: 1

NOTICE: There are no restrictions for distribution of this Bulletin
        provided that it remains complete and intact.

RELEASE DATE: June 2002

SEVERITY: 2

SOURCE:
    Compaq Computer Corporation, a wholly-owned subsidiary of
    Hewlett-Packard Company and Hewlett-Packard Company HP Services
    Software Security Response Team


CROSS REFERENCE:  (CERT Incident Note IN-2002-04)

PROBLEM SUMMARY:

Broad-based attacks on Microsoft's SQL Server sites have been
recently discovered by many security research groups and reported
in an incident note by  CERT/CC . It first became apparent when it
was observed that there  was a sudden increase in hosts scanning
for port 1433, the  port commonly used by Microsoft's SQL Server.
This bulletin is in follow-up to  the previous announcements that
describe this potential threat.  The  malicious code  propagates via
an account "SA" that was set up, by the MSDE/SQL Server installation
program, with no default password.  The capability  to  use  MSDE
(free, scaled down version of Microsoft SQL Server) was included
on the Compaq  Management  CD  beginning  with  the  release of
Compaq Insight Manager XE 1.1, but is not installed as part of the
Compaq Insight Manager installation program. The MSDE installation
program is  included  (as a batch file) on all  subsequent  Compaq
Management CD's and must be installed manually. Although the Compaq
Insight Manager installation  recommends that the "sa" account be
set upon  installation, default installations of  MSDE  from  the
Compaq Management CD (or the Insight Manager 7 softpaq's) are not
properly secured without manual intervention.


VERSIONS IMPACTED:

    Compaq Insight Manager XE (Version 1.1 and later)
    Compaq Insight Manager 7 (all versions)

RESOLUTION: Note: If during current installations of Insight Manager
            the MSDE "SA" account password has been changed from the
            no password default, the impact of this potential threat
            has been diminished. The process to change or check for
            the default no password "SA" account for MSDE is:

    o Log into Insight Manager 7 as an administrator (prior to
      changing in MSDE ), click on Settings>Server>Database,
      change the "SA" password to your new password for the database.

                             Note:
A typical secure password for the database account should be greater
than six characters and contain alpha and numeric characters.

    o Stop the Insight Manager 7 service  Open a command window and
      navigate to the MSSQL7 directory


    o Type osql -Usa -P (this will log you on with the blank
      password provided the default password was not changed
      during installation)

    o Type sp_password @old="", @new= <choose-a-new-password-here>,
      @loginame = sa (Note: no space between the double quotes)

    o Type go

    o You will get a "Password changed." Message

    o Type exit

    o Restart the Insight Manager 7 service. It should login and
      run with the new password. Note: If the password was not
      changed successfully, then the Insight Manager 7 service
      will stop. At this time, call Compaq Customer Support in
      to resolve the situation.


SUPPORT: For further information, contact HP Services.


SUBSCRIBE:  To subscribe to automatically receive future
            Security Bulletins  from the Software Security
            Response Team via electronic mail:
    http://www.support.compaq.com/patches/mailing-list.shtml

    HP and Compaq appreciates your cooperation and patience.
    As always, HP and Compaq urges you to periodically review
    your system management and security procedures. HP and
    Compaq will continue to review and enhance the security
    features of its products and work with our customers
    to maintain and improve the security and integrity of their
    systems.

    "HP and Compaq are broadly distributing this Security Bulletin
    in order to bring to the attention of users of the affected
    Compaq products the important security information contained
    in this Bulletin.  HP and Compaq recommend that all users
    determine the applicability of this information to
    their individual situations and take appropriate action.
    Neither HP nor Compaq warrant that this information is
    necessarily accurate or complete for all user situations and,
    consequently, neither HP nor Compaq will be responsible for
    any damages resulting from user's use or disregard of the
    information provided in this Bulletin."


 Copyright 2002 Compaq Information Technologies Group, L.P.
 Compaq shall not be liable for technical or editorial errors or
 omissions contained herein. The information in this document is
 subject to change without notice. Compaq and the names of Compaq
 products referenced herein are trademarks of Compaq Information
 Technologies Group, L.P. in the United States and other countries.
 Other product and company names mentioned herein may be trademarks
 of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBPQomHTnTu2ckvbFuEQIxyACg8uSGQGQ/jBRv5JfI0ls2LIHlfTEAniTB
6e4AcWqDLnAzxLLwQiilbKgB
=af3n
-----END PGP SIGNATURE-----


---
You are currently subscribed to security as: ***********************
To unsubscribe send a blank email to *********************@list.support.compaq.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC