|
Vulnerability exchverify.log Affected Win NT Cheyenne Arcserve Exchange DB Agent v2 and Inoculan Description Jamie Byrnes found following. On a recent browse around his exchange server, he came across a c:\exchverify.log. The contents of this file seem to indicate it is a log of the authentication verification process undertaken by the Cheyenne Arcserve Exchange DB Agent version 2 installation. So what? It contained much authentication stuff along with a few lines of: <EXCH-VERIFY>: ExchAuthenticate() called with NTServerName:[KBJV_SRV1] NTDomainName[KBJV_PERTH] adminMailbox:[xxxxxx] adminLoginName:[xxxxxx] password:[xxxxxx] with account, mailbox and password info in plain text. Jamie had had trouble installing it last time and the log contained the three different accounts I had tried to install into, all with passwords. We're talking high level accounts here. Innoculan and ArcServe both have modules for Exchange Server. It seems that both of these products (Innoculan AV for Exchange and ArcServe Backup for Exchange) create the file c:\exchverify.log during installation. So far it appears that this only happens when Exchange Server 5.5 is the MSX server in use (speculation). Build 53 of ArcServe Backup for Exchange puts the # of characters in the user password in the file, whereas Build 57 puts the password in plaintext (meaning the problem got worse with the newer version). Build 57 is the latest version of this product available from CAI (at time of writing). On top of that, there are password fields stored in the registry under the \SOFTWARE\CHEYENNE\DSAgent\CurrentVersion\agent keys. In my install, both \dbaexch and \dbasql60 contained passwords in clear text, while \dbaxchg2 contained some obfuscated value (definitely not strongly encrypted). Solution Clean up that file. CA says they have implemented a new password encryption scheme, and also say that all occurrences of the password have been removed from the exchvrfy.log file. There are two separate fixes; - T146159 for their ARCserve Backup Agent for Exchange (requires Release 6.5 build 622 of ARCserve for NT installed) - TF68089 for InocuLAN (requires Release 4.0 build 373 or 375 of InocuLAN installed, as well as build 64 of InocuLAN Exchange Agent) Both patches include VService.exe. The one supplied with the InocuLAN patch is a newer version than the one supplied with the ARCserve patch, therefore one would assume that you should apply the ARCserve patch before the InocuLAN patch.