BEST OF THE WEB

Don’t take a pass on optional administrative password opportunities

Password management has been a thorn in the sides of CISOs for some time, not only to keep track of passwords but also the never-ending fight to ensure all employees use secure ones.

But infosec leaders also have to take advantage of optional password features to ensure systems are locked down. Anything that touches the network and has an administrator console should have mandatory password control or it could be an access point for an attacker. But sometimes vendors don’t close this door completely. Case in point: Hewlett-Packard’s SiteScope application monitoring tool running on Windows.

Rapid7, which makes incident response solutions, has warned that an attacker who gains access to SiteScope’s administration console can execute arbitrary commands on a Windows operating system. While the console can be password protected, it isn’t mandatory. So, researchers discovered, if the console isn’t locked down an attacker could get to it and become an authenticated user.

“Once logged in, an attacker may navigate to the DNS Tool … and enter any domain name for resolution in the ‘Host name to resolve’ field, and append any other valid operating system command with the usual techniques,” Rapid7 says. “For example, attempting to resolve `google.com & net user HPpoc QWERty1234 /ADD & net localgroup administrators HPpoc /ADD` results in successfully creating a user and adding the user to the local administrators group.”  An attacker may similarly append any operating system command in the ‘DNS Server’ field as well, the blog says.

Researchers say this can be mitigated in two ways: First, CISOs should ensure the administrator password option is taken (and, obviously, a hardened password is chosen) and access restricted to trusted users. That may not be a complete answer, researchers say, because on Windows SiteScope appears to require local SYSTEM access, so account permissions for the application or individual users “would not appear to be effective on this operating system.” The alternative is to switch SiteScope to a Linux server and run as a non-root user.

HP has been notified of the possible exploit. Rapid7 notes that in discussions with the company HP prefers the Linux option.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web