RSA Web Threat Detection 6.0 security scan found hard coded credentials in python.zip file
Originally Published: 2017-10-11
Article Number
Applies To
RSA Product/Service Type: Mitigator
RSA Version/Condition: 6.0
Issue
- The PostgreSQL database in RSA Web Threat Detection has hard coded credentials on the UI server
- There is a finding in WTD 6.1 which claims there are hard coded credentials on the UI server in file /var/opt/silvertail/lib/python.zip/st/savesearchdb/_init_.pyc
- There are some lines to create database users with passwords in this file; for example,
INSERT INTO users (username, password, accesslevel, created, lastlogin, prevpasswd, expiredate, fails, locked, tenantid)
VALUES ('admin', '$1$6BxoIBYT$cOkc.TDUb7lx.ZCgmMVdE.', 2, '2012-05-04 11:49:50.840925', '2013-07-19 10:22:22.870977', '', NULL, 0 , 'f', '.');
INSERT INTO users (username, password, accesslevel, created, lastlogin, prevpasswd, expiredate, fails, locked, tenantid)
VALUES ('super', '$1$NyiiuHTF$beciK2eFRIpf6SYVoR3XP0', 3, '2012-05-04 11:49:50.878399', '2013-07-19 10:21:44.70939', NULL, NULL, 0 , 'f', 'global');
INSERT INTO users (username, password, accesslevel, created, lastlogin, prevpasswd, expiredate, fails, locked, tenantid)
VALUES ('user1', '$1$NyiiuHTF$beciK2eFRIpf6SYVoR3XP0', 1, '2012-05-04 11:49:50.878399', '2013-07-19 10:21:44.70939', NULL, NULL, 0 , 'f', 'global');
INSERT INTO users (username, password, accesslevel, created, lastlogin, prevpasswd, expiredate, fails, locked, tenantid)
VALUES ('tenant1', '$1$TTIiVB2R$3cmIErzwgtJPcJhN168Bl1', 2, '2012-05-04 14:14:05.390958', '2013-07-19 10:21:49.968936', NULL, '2012-05-04 14:20:05.390958', 0 , 'f', 'tenant1');
INSERT INTO users (username, password, accesslevel, created, lastlogin, prevpasswd, expiredate, fails, locked, tenantid)
VALUES ('user1', '$1$TTIiVB2R$3cmIErzwgtJPcJhN168Bl1', 1, '2012-05-04 14:14:05.390958', '2013-07-19 10:21:48.968936', NULL, '2012-05-04 14:20:05.390958', 0 , 'f', 'tenant1');
INSERT INTO users (username, password, accesslevel, created, lastlogin, prevpasswd, expiredate, fails, locked, tenantid)
VALUES ('tenant2', '$1$Nkr242XN$WMLkwiHsS5EZIs/JL8dWS.', 2, '2012-05-04 14:14:24.757756', '2013-07-19 10:21:54.705195', NULL, '2012-05-04 14:20:24.7577568', 0 , 'f', 'tenant2');
INSERT INTO users (username, password, accesslevel, created, lastlogin, prevpasswd, expiredate, fails, locked, tenantid)
VALUES ('user1', '$1$Nkr242XN$WMLkwiHsS5EZIs/JL8dWS.', 1, '2012-05-04 14:14:24.757756', '2013-07-19 10:21:44.705195', NULL, '2012-05-04 14:20:24.7577568', 0 , 'f', 'tenant2');
Some Frequently Asked Questions
-
What is this python.zip and how is it created?
It was created during upgrade from version 4.6 to 5.0.
-
Can python.zip be safely removed so that we could get rid of this hard coded credentials vulnerability?
The python.zip contains Python code which is used in several modules, therefore, it cannot be removed
-
What is Savesearch DB?
There is a function called Savesearch DB administration tools which creates searches on the database and inserts users also during the process, these user’s hard coded credentials are stored in _init_.pyc.
-
What is this tool for? Does it run automatically on install or update?
It is a command line interface to the Savesearch DB administration tools.
Commands in Savesearch DB
Commands in this tool include:
| Command | Information |
|---|---|
| install | Installs Savesearch DB on a bare system. Equivalent to the following sequence of commands:
|
| pgversion | Displays the PostgreSQL version. |
| init. | Initializes the file system to support the PostgreSQL server. |
| pushconf | Pushes PostgreSQL server configuration files into place. |
| start: Launches the PostgreSQL server processes. | Launches the PostgreSQL server processes. |
| status: Prints status of the PostgreSQL server. | Prints status of the PostgreSQL server. |
| stop | Shuts down the PostgreSQL server processes (pending connections closed). |
| createdb | Creates the PostgreSQL database that will contain the Savesearch DB. |
| createschema | Creates the schema in the database. |
| createuser | Creates the PostgreSQL user as configured in the conf. |
| verify | Verify the database versus configuration by attempting to connect and check the schema. |
Resolution
Related Articles
Log Artifact zip file fails to generate in RSA Governance & Lifecycle Number of Views ITIM 5.1 AFX test connector settings fail with 'Connection error: zip file closed' in RSA Identity Governance & Lifecycle Number of Views RSA SureFile has problems opening a SureFile-zipped *.ZIP file Number of Views Unable to generate Log Artifact Zip file on WebSphere and WebLogic implementations of RSA Identity Governance & Lifecycle Number of Views 'Exception checking for internal table usage in collectors' and 'java.lang.NullPointerException' errors when generating a … Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide Troubleshooting RSA MFA Agent for Microsoft Windows How to manipulate imported RSA SecurID Software Token(s) on an iPhone or iPad device How to recover the Application and AFX after an unexpected database failure in RSA Identity Governance & Lifecycle
Don't see what you're looking for?
