TUCoPS :: Security App Flaws :: arcsrv.htm

Win NT Cheyenne Arcserve Exchange DB Agent v2 and Inoculan saves passwords in install logs!!!
Vulnerability

    exchverify.log

Affected

    Win NT Cheyenne Arcserve Exchange DB Agent v2 and Inoculan

Description

    Jamie  Byrnes  found  following.   On  a  recent browse around his
    exchange server, he came across a c:\exchverify.log.  The contents
    of this file seem  to indicate it is  a log of the  authentication
    verification process undertaken by the Cheyenne Arcserve  Exchange
    DB  Agent  version  2  installation.  So  what?  It contained much
    authentication stuff along with a few lines of:

        <EXCH-VERIFY>: ExchAuthenticate() called with NTServerName:[KBJV_SRV1]
        NTDomainName[KBJV_PERTH] adminMailbox:[xxxxxx] adminLoginName:[xxxxxx]
        password:[xxxxxx]

    with account, mailbox and password info in plain text.  Jamie  had
    had trouble  installing it  last time  and the  log contained  the
    three different  accounts I  had tried  to install  into, all with
    passwords.  We're talking high level accounts here.

    Innoculan and ArcServe both  have modules for Exchange  Server. It
    seems that both of these  products (Innoculan AV for Exchange  and
    ArcServe Backup  for Exchange)  create the  file c:\exchverify.log
    during installation.   So far  it appears  that this  only happens
    when Exchange Server 5.5 is  the MSX server in use  (speculation).
    Build 53 of ArcServe Backup for Exchange puts the # of  characters
    in  the  user  password  in  the  file,  whereas Build 57 puts the
    password  in  plaintext  (meaning  the  problem got worse with the
    newer version).   Build 57 is  the latest version  of this product
    available from CAI (at time of writing).

    On top of that, there  are password fields stored in  the registry
    under  the  \SOFTWARE\CHEYENNE\DSAgent\CurrentVersion\agent  keys.
    In my install, both \dbaexch and \dbasql60 contained passwords  in
    clear  text,  while  \dbaxchg2  contained  some  obfuscated  value
    (definitely not strongly encrypted).

Solution

    Clean up that file.  CA says they have implemented a new  password
    encryption  scheme,  and  also  say  that  all  occurrences of the
    password have been removed from the exchvrfy.log file.  There  are
    two separate fixes;

    - T146159 for their  ARCserve Backup Agent for  Exchange (requires
      Release 6.5 build 622 of ARCserve for NT installed)
    - TF68089 for InocuLAN (requires  Release 4.0 build 373 or  375 of
      InocuLAN installed,  as well  as build  64 of  InocuLAN Exchange
      Agent)

    Both  patches  include  VService.exe.   The  one supplied with the
    InocuLAN patch is a newer  version than the one supplied  with the
    ARCserve patch, therefore one  would assume that you  should apply
    the ARCserve patch before the InocuLAN patch.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH