Guest

CiscoWorks Network Compliance Manager

Field Notice: FN - 62500 - CiscoWorks Network Compliance Manager (NCM) 1.0 - Database Security Threat - Workaround Available


September 21, 2006

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.


Products Affected

Product

Comments

Network Compliance Manager (NCM) - 1.0

When installed with MySQL on Linux or Solaris Platform

Problem Description

CiscoWorks Network Compliance Manager (NCM) Version 1.0 may pose a security threat to the NCM server database (MySQL) when both NCM 1.0 software and the MySQL database are installed on the same Linux or Solaris server.

Installations of NCM and MySQL where MySQL is installed on a separate host from NCM are not vulnerable, regardless of platform.

Background

To be vulnerable, NCM and MySQL must be installed on the same host by the NCM setup and installation program. The affected versions are listed below:

NCM 1.0 with MySQL running on Linux

NCM 1.0 with MySQL running on Solaris

The /etc/init.d/mysql script lists the root password of MySQL database:

-"INPUT_DB_PASSWORD=mysql123"

-"bin/mysqladmin -uroot -pmysql123 shutdown"

The file permission of file /etc/init.d/mysql will allow all users with a login to the NCM server host to view the root password.

-rwxrwxr-x 1 root root 1856 Jul 22 10:43 mysql

Workaround/Solution

Change the file permissions of /etc/init.d/mysql to allow root read/write only.

Steps:

  1. login in to NCM server as root

  2. type: #chmod 710 /etc/init.d/mysql

  3. type #ls -l /etc/init.d/mysql

The file should have the following permission:

-rwx--x--- 1 root root 1856 Jul 22 10:43 mysql

Revision History

Revision

Date

Comment

1.0

21-SEP-2006

Initial Public Release

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.