A static console username and password has been identified in Trustwave's WebDefend Enterprise Console product. The information could potentially allow a remote attacker access to the data in the database located on the WebDefend appliance.
The static console username and password, in addition to the private key, can be used to authenticate against the appliance and have access to the data through the remote console GUI. This data is used for tracking web vulnerabilities in a web site(s). The static login has been located in several of the console software’s EXE and DLL files. The private key is installed by default with the console software and is not generated during the installation.
The private key file is located in:
%SystemDrive%\Program Files\Breach Security\WebDefend Enterprise Console\bin\bwdschedreports.prk
The static username and password is located in the files listed below:
Potentially allow an attacker access to all data pertaining to vulnerabilities in a victim’s web site(s).
4. Affected Products:
WebDefend Enterprise Manager Appliance v4.0 (6.45.659)
WebDefend Enterprise Console software v4.0 (6.45.659)
5. Solution: Apply the latest supplied vendor patches.
6. Time Table:
10/22/2010 Reported vulnerability to the Vendor
10/27/2010 Vendor acknowledge vulnerability
11/15/2010 Vendor published fix
Discovered by Nathan Power