SecurityTracker.com Archives - NeWT Discloses Remote Account Passwords to Local Users

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Security) > NeWT

Vendors: Tenable Network Security

NeWT Discloses Remote Account Passwords to Local Users

SecurityTracker Alert ID: 1009576

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Mar 29 2004

Impact: Disclosure of authentication information

Exploit Included: Yes Vendor Confirmed: Yes

Version(s): 1.4 and prior versions; possibly also version 1.5

Description: An access control vulnerability was reported in the NeWT vulnerability scanner. A local user can obtain passwords used by the scanner in conducting network scans.

It is reported that the software stores usernames and passwords in plaintext in the 'config.xml' configuration file on the target system. The information includes passwords for FTP, IMAP, POP2, POP3, NNTP, SNMP, and SMB (Windows NT Domain) accounts, the report said.

The configuration file is reportedly stored in the following location:

\Documents and Settings\<Username>\Tenable\NeWT\config\config.xml

The vendor was reportedly notified on December 4, 2003.

Impact: A local user can obtain passwords for accounts to be scanned by NeWT.

Solution: No solution was available at the time of this entry. According to the report, the vendor does not consider this to represent a security risk.

Vendor URL: www.tenablesecurity.com/newt.html (Links to External Site)

Cause: Access control error

Underlying OS: Windows (Any)

Reported By: Kevin_Davis <computerguy@cfl.rr.com>

Message History: None.

Source Message Contents

Date: Sat, 27 Mar 2004 00:05:24 -0500
From: =?Windows-1252?Q?~Kevin_Davis=B3?= <computerguy@cfl.rr.com>
Subject: [Full-Disclosure] NEWT Scanner stores credentials in plain text

 

This is a multi-part message in MIME format.

------=_NextPart_000_0105_01C4138F.33E58F30
Content-Type: text/plain;
	charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

I have posted this issue to a couple entities like NTbugtraq and CERT =
with no response.  Please read below...


Software Vendor: Tenable Security (www.tenablesecurity.com)
Software Package: Newt=20
Versions Affected: 1.4 and earlier (and possibly 1.5)
Synopsis: Username and password for various accounts stored in =
unencrypted plain text

Issue Date: Feb 22, 2004

Vendor Response: Vendor notified December 4, 2003
   Vendor declined to resolve issue=20

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D

1. Summary

NEWT is a commercial Windows port of the open source Nessus =
Vulnerability scanner by
Tenable security.  Newt stores the credentials of various types of =
accounts in=20
unencrypted plain text in a configuration file.=20

2. Problem Description

The config.xml files stores username and password information for =
various types=20
of accounts in unencrypted plain text.  Those parameters are typically =
set from=20
the NEWT Scanner interface.  When setting these parameters, the user is =
also not=20
informed of this sensitive information being stored insecurely.  This =
potentially=20
affects the following types of accounts:

FTP
IMAP
POP2
POP3
NNTP
SNMP
SMB (Windows NT Domain)

Typically this config file is stored locally at the following location:

\Documents and Settings\<Username>\Tenable\NeWT\config\config.xml

3. Solution

None at this time.  A lengthy discussion with the vendor resulted in the =
vendor's=20
decision that this was not a security risk that warrants resolution on.=20


------=_NextPart_000_0105_01C4138F.33E58F30
Content-Type: text/html;
	charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1252">
<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT size=3D2><FONT size=3D2>
<DIV><FONT size=3D2>I have posted this issue to a couple entities like =
NTbugtraq=20
and CERT with no response.&nbsp; Please read=20
below...</FONT></DIV></FONT></FONT></DIV>
<DIV><FONT size=3D2><FONT size=3D2></FONT></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2><FONT size=3D2>&nbsp;</DIV>
<DIV>Software Vendor: Tenable Security (<A=20
href=3D"http://www.tenablesecurity.com">www.tenablesecurity.com</A>)<BR>S=
oftware=20
Package: Newt <BR>Versions Affected: 1.4 and earlier (and possibly=20
1.5)<BR>Synopsis: Username and password for various accounts stored in=20
unencrypted plain text</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>Issue Date: Feb 22, 2004</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>Vendor Response: Vendor notified December 4,=20
2003<BR>&nbsp;&nbsp; Vendor declined to resolve issue </FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT=20
size=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>1. Summary</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>NEWT is a commercial Windows port of the open source =
Nessus=20
Vulnerability scanner by<BR>Tenable security.&nbsp; Newt stores the =
credentials=20
of various types of accounts in <BR>unencrypted plain text in a =
configuration=20
file. </FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>2. Problem Description</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>The config.xml files stores username and password =
information=20
for various types <BR>of accounts in unencrypted plain text.&nbsp; Those =

parameters are typically set from <BR>the NEWT Scanner interface.&nbsp; =
When=20
setting these parameters, the user is also not <BR>informed of this =
sensitive=20
information being stored insecurely.&nbsp; This potentially <BR>affects =
the=20
following types of accounts:</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>FTP<BR>IMAP<BR>POP2<BR>POP3<BR>NNTP<BR>
SNMP<BR>SMB =
(Windows NT=20
Domain)</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>Typically this config file is stored locally at the =
following=20
location:</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>\Documents and=20
Settings\&lt;Username&gt;\Tenable\NeWT\config\config.xml</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>3. Solution</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>None at this time.&nbsp; A lengthy discussion with =
the vendor=20
resulted in the vendor's <BR>decision that this was not a security risk =
that=20
warrants resolution on. </FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV></FONT></BODY></HTM
L>

------=_NextPart_000_0105_01C4138F.33E58F30--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2004, SecurityGlobal.net LLC