000035628 - RSA Web Threat Detection 6.0 security scan found hard coded credentials in python.zip file

Document created by RSA Customer Support Employee on Jul 12, 2018Last modified by RSA Customer Support Employee on Jul 12, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035628
Applies ToRSA Product Set: Web Threat Detection
RSA Product/Service Type: Mitigator
RSA Version/Condition: 6.0
 
IssueThe issue has been described as follows:
  • The PostgreSQL database in RSA Web Threat Detection has hard coded credentials on the UI server
  • There is a finding in WTD 6.1 which claims there are hard coded credentials on the UI server in file /var/opt/silvertail/lib/python.zip/st/savesearchdb/_init_.pyc
  • There are some lines to create database users with passwords in this file; for example,


INSERT INTO users (username, password, accesslevel, created, lastlogin, prevpasswd, expiredate, fails, locked, tenantid)
VALUES ('admin', '$1$6BxoIBYT$cOkc.TDUb7lx.ZCgmMVdE.', 2, '2012-05-04 11:49:50.840925', '2013-07-19 10:22:22.870977', '', NULL, 0 , 'f', '.');

INSERT INTO users (username, password, accesslevel, created, lastlogin, prevpasswd, expiredate, fails, locked, tenantid)
VALUES ('super', '$1$NyiiuHTF$beciK2eFRIpf6SYVoR3XP0', 3, '2012-05-04 11:49:50.878399', '2013-07-19 10:21:44.70939', NULL, NULL, 0 , 'f', 'global');

INSERT INTO users (username, password, accesslevel, created, lastlogin, prevpasswd, expiredate, fails, locked, tenantid)
VALUES ('user1', '$1$NyiiuHTF$beciK2eFRIpf6SYVoR3XP0', 1, '2012-05-04 11:49:50.878399', '2013-07-19 10:21:44.70939', NULL, NULL, 0 , 'f', 'global');

INSERT INTO users (username, password, accesslevel, created, lastlogin, prevpasswd, expiredate, fails, locked, tenantid)
VALUES ('tenant1', '$1$TTIiVB2R$3cmIErzwgtJPcJhN168Bl1', 2, '2012-05-04 14:14:05.390958', '2013-07-19 10:21:49.968936', NULL, '2012-05-04 14:20:05.390958', 0 , 'f', 'tenant1');

INSERT INTO users (username, password, accesslevel, created, lastlogin, prevpasswd, expiredate, fails, locked, tenantid)
VALUES ('user1', '$1$TTIiVB2R$3cmIErzwgtJPcJhN168Bl1', 1, '2012-05-04 14:14:05.390958', '2013-07-19 10:21:48.968936', NULL, '2012-05-04 14:20:05.390958', 0 , 'f', 'tenant1');

INSERT INTO users (username, password, accesslevel, created, lastlogin, prevpasswd, expiredate, fails, locked, tenantid)
VALUES ('tenant2', '$1$Nkr242XN$WMLkwiHsS5EZIs/JL8dWS.', 2, '2012-05-04 14:14:24.757756', '2013-07-19 10:21:54.705195', NULL, '2012-05-04 14:20:24.7577568', 0 , 'f', 'tenant2');

INSERT INTO users (username, password, accesslevel, created, lastlogin, prevpasswd, expiredate, fails, locked, tenantid)
VALUES ('user1', '$1$Nkr242XN$WMLkwiHsS5EZIs/JL8dWS.', 1, '2012-05-04 14:14:24.757756', '2013-07-19 10:21:44.705195', NULL, '2012-05-04 14:20:24.7577568', 0 , 'f', 'tenant2');

 

Some Frequently Asked Questions




  • What is this python.zip and how is it created?



It was created during upgrade from version 4.6 to 5.0.



  • Can python.zip be safely removed so that we could get rid of this hard coded credentials vulnerability? 



The python.zip contains Python code which is used in several modules, therefore, it cannot be removed 



  • What is Savesearch DB?  



There is a function called Savesearch DB administration tools which creates searches on the database and inserts users also during the process, these user’s hard coded credentials are stored in _init_.pyc.



  • What is this tool for? Does it run automatically on install or update?  



It is a command line interface to the Savesearch DB administration tools.
 


Commands in Savesearch DB 



Commands in this tool include:
 



CommandInformation
installInstalls Savesearch DB on a bare system. Equivalent to the following sequence of commands:
  
  1. init
  2. pushconf
  3. start
  4. createdb 
  5. createschema
  6. createuser
  
pgversionDisplays the PostgreSQL version.
init.Initializes the file system to support the PostgreSQL server.
pushconfPushes PostgreSQL server configuration files into place.
start: Launches the PostgreSQL server processes.Launches the PostgreSQL server processes.
status: Prints status of the PostgreSQL server.Prints status of the PostgreSQL server.
stopShuts down the PostgreSQL server processes (pending connections closed).
createdbCreates the PostgreSQL database that will contain the Savesearch DB.
createschemaCreates the schema in the database.
createuser
    
Creates the PostgreSQL user as configured in the conf.
verifyVerify the database versus configuration by attempting to connect and check the schema.


ResolutionEngineering has responded in WTD-5554 that there will be a fix.  This issue is a Security Candidate for 2018. 

Attachments

    Outcomes