Clear Text Storage of Password in CS-MARS v6.0.4 and Earlier

1. First after logging onto the console either pnlog mailto, or pnlog scpto will send the logs off of the box to a destination you specify, you can also display the logs using pnlog show.
[pnadmin]$ pnlog scpto ryan@10.4.61.206:/home/ryan
scp /tmp/error-logs.tar.gz ryan@10.4.61.206:/home/ryan/error-logs.tar.gz
The authenticity of host 10.4.61.206 (10.4.61.206) cant be established.
RSA key fingerprint is cc:c5:35:ad:be:16:4e:59:6a:48:90:c3:98:9f:a3:e4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 10.4.61.206 (RSA) to the list of known hosts.
ryan@10.4.61.206s password: 
error-logs.tar.gz                                                                                                                                                  100%   12MB  11.6MB/s   00:01    
scp /tmp/janus-logs.tar.gz ryan@10.4.61.206:/home/ryan/janus-logs.tar.gz
ryan@10.4.61.206s password: 
janus-logs.tar.gz                                                                                                                                                  100% 5830KB   5.7MB/s   00:01    
[pnadmin]$ 

2. After transfering the logs two files are produced as shown below.
root@ultidesk:~/logs# ls
error-logs.tar.gz  janus-logs.tar.gz
root@ultidesk:~/logs# 

3. After extraction the following files are created as well as a folder structre within the folder you copied the log files to.
root@ultidesk:~/logs# tar -xvf janus-logs.tar.gz 
opt/janus/release/bin/log/server/janus_log
opt/janus/release/bin/log/server/janus_log.1
opt/janus/release/bin/log/server/janus_log.2
opt/janus/release/bin/log/server/janus_log.3
opt/janus/release/bin/log/server/janus_log.4
opt/janus/release/bin/log/server/janus_log.5
opt/janus/release/bin/log/server/janus_log.6
opt/janus/release/bin/log/server/janus_log.7
opt/janus/release/bin/log/server/janus_log.8
opt/janus/release/bin/log/server/janus_log.9
tmp/raid_event.log
tmp/saslog.txt
root@ultidesk:~/logs# ls
error-logs.tar.gz  janus-logs.tar.gz  opt  tmp
root@ultidesk:~/logs# tar -xvf error-logs.tar.gz 
opt/janus/release/bin/log/server/janus_log
opt/janus/release/VERSION
opt/janus/jboss/server/default/log/feedback/jboss.log
opt/janus/jboss/server/default/log/feedback/jboss.log.1
opt/janus/jboss/server/default/log/feedback/jboss.log.2
etc/model
opt/janus/jboss/server/default/log/trace/jbossStackTrace-2009-08-20_10-33-07_CDT.log
tmp/kill-runGuardedBackcalc.log
tmp/restartJBoss.log
var/log/messages
var/log/messages.1
var/log/messages.2
var/log/messages.3
var/log/messages.4
var/log/upgrade_1215785121.log
var/log/upgrade_1215786450.log
var/log/upgrade_1215787232.log
var/log/upgrade_1224176330.log
var/log/upgrade_1224177537.log
var/log/upgrade_1224178406.log
var/log/upgrade_1237838103.log
var/log/upgrade_1238006432.log
var/log/upgradehistory.log
var/log/upgrade.log
var/log/upgrade.log.1245330683
var/log/upgrade.log.1250782367
var/log/upgrade_s1238170243.log
var/log/upgrade_s1245331100.log
var/log/upgrade_s1250782908.log
log/sysbacktrace.00
log/sysbacktrace.01
log/sysbacktrace.02
log/sysbacktrace.03
log/sysbacktrace.04
log/sysbacktrace.05
log/sysbacktrace.06
log/sysbacktrace.07
log/sysbacktrace.08
log/sysbacktrace.09
log/sysbacktrace.10
log/sysbacktrace.11
log/sysbacktrace.12
log/sysbacktrace.13
log/sysbacktrace.14
log/sysbacktrace.15
log/sysbacktrace.16
log/sysbacktrace.17
log/sysbacktrace.18
log/sysbacktrace.19
log/sysbacktrace.20
log/sysbacktrace.21
log/sysbacktrace.22
log/sysbacktrace.23
log/sysbacktrace.24
log/sysbacktrace.25
log/sysbacktrace.26
log/sysbacktrace.27
log/sysbacktrace.28
log/sysbacktrace.29
log/sysbacktrace.30
log/sysbacktrace.31
log/sysbacktrace.32
log/sysbacktrace.33
log/sysbacktrace.34
log/sysbacktrace.35
log/sysbacktrace.36
log/sysbacktrace.37
log/sysbacktrace.38
log/sysbacktrace.39
log/sysbacktrace.40
log/sysbacktrace.41
log/sysbacktrace.42
log/sysbacktrace.43
log/sysbacktrace.44
log/sysbacktrace.45
log/sysbacktrace.46
log/sysbacktrace.47
log/sysbacktrace.48
log/sysbacktrace.49
log/sysbacktrace.50
log/sysbacktrace.51
log/sysbacktrace.52
log/sysbacktrace.53
log/sysbacktrace.54
log/sysbacktrace.55
log/sysbacktrace.56
log/sysbacktrace.57
log/sysbacktrace.58
log/sysbacktrace.59
log/sysbacktrace.60
log/sysbacktrace.61
log/sysbacktrace.62
log/sysbacktrace.63
log/sysbacktrace.64
log/sysbacktrace.65
log/sysbacktrace.66
log/sysbacktrace.67
log/sysbacktrace.68
log/sysbacktrace.69
log/sysbacktrace.70
log/sysbacktrace.71
log/sysbacktrace.72
log/sysbacktrace.73
log/sysbacktrace.74
log/sysbacktrace.75
log/sysbacktrace.76
log/sysbacktrace.77
log/sysbacktrace.78
log/sysbacktrace.79
log/sysbacktrace.80
log/sysbacktrace.81
log/sysbacktrace.82
log/sysbacktrace.83
log/sysbacktrace.84
log/sysbacktrace.85
log/sysbacktrace.86
log/sysbacktrace.87
log/sysbacktrace.88
log/sysbacktrace.89
log/sysbacktrace.90
log/sysbacktrace.91
log/sysbacktrace.92
log/sysbacktrace.93
log/sysbacktrace.94
log/sysbacktrace.95
var/log/sa/sa13
var/log/sa/sa14
var/log/sa/sa15
var/log/sa/sa16
var/log/sa/sa17
var/log/sa/sa18
var/log/sa/sa19
var/log/sa/sa20
var/log/sa/sa21
var/log/sa/sar12
var/log/sa/sar13
var/log/sa/sar14
var/log/sa/sar15
var/log/sa/sar16
var/log/sa/sar17
var/log/sa/sar18
var/log/sa/sar19
var/log/sa/sar20
u01/app/oracle/admin/pndb/bdump/alert_pndb.log
u01/app/oracle/admin/pndb/bdump/pn_app.log
tmp/package-env.txt
tmp/diskUsage.txt

root@ultidesk:~/logs# ls
error-logs.tar.gz  etc  janus-logs.tar.gz  log  opt  tmp  u01  var


3. Now executing grep for a portion of the password that MARS uses to access Windows Devices (password masked with ####). We can see that in this case every iterration of sysbacktrace.X containes 30 occurances of our password (95 files 30 occurances each = 2,850 occurances of our password):

root@ultidesk:~/logs# grep -R -c ######* *
error-logs.tar.gz:0
etc/model:0
janus-logs.tar.gz:0
log/sysbacktrace.84:30
log/sysbacktrace.77:30
log/sysbacktrace.47:30
log/sysbacktrace.82:30
log/sysbacktrace.95:30
log/sysbacktrace.22:30
log/sysbacktrace.40:30
log/sysbacktrace.10:30
log/sysbacktrace.65:30
log/sysbacktrace.74:30
log/sysbacktrace.68:30
log/sysbacktrace.60:30
log/sysbacktrace.37:30
log/sysbacktrace.59:30
log/sysbacktrace.88:30
log/sysbacktrace.01:30
log/sysbacktrace.89:30
log/sysbacktrace.38:30
log/sysbacktrace.16:30
log/sysbacktrace.09:30
log/sysbacktrace.53:30
log/sysbacktrace.13:30
log/sysbacktrace.23:30
log/sysbacktrace.44:30
log/sysbacktrace.06:30
log/sysbacktrace.35:30
log/sysbacktrace.04:30
log/sysbacktrace.67:30
log/sysbacktrace.69:30
log/sysbacktrace.64:30
log/sysbacktrace.66:30
log/sysbacktrace.93:30
log/sysbacktrace.79:30
log/sysbacktrace.51:30
log/sysbacktrace.31:30
log/sysbacktrace.83:30
log/sysbacktrace.29:30
log/sysbacktrace.39:30
log/sysbacktrace.25:30
log/sysbacktrace.85:30
log/sysbacktrace.80:30
log/sysbacktrace.50:30
log/sysbacktrace.73:30
log/sysbacktrace.34:30
log/sysbacktrace.33:30
log/sysbacktrace.90:30
log/sysbacktrace.61:30
log/sysbacktrace.08:30
log/sysbacktrace.46:30
log/sysbacktrace.07:30
log/sysbacktrace.32:30
log/sysbacktrace.30:30
log/sysbacktrace.92:30
log/sysbacktrace.56:30
log/sysbacktrace.03:30
log/sysbacktrace.00:30
log/sysbacktrace.18:30
log/sysbacktrace.21:30
log/sysbacktrace.91:30
log/sysbacktrace.94:30
log/sysbacktrace.54:30
log/sysbacktrace.28:30
log/sysbacktrace.42:30
log/sysbacktrace.05:30
log/sysbacktrace.86:30
log/sysbacktrace.17:30
log/sysbacktrace.75:30
log/sysbacktrace.78:30
log/sysbacktrace.41:30
log/sysbacktrace.55:30
log/sysbacktrace.15:30
log/sysbacktrace.24:30
log/sysbacktrace.14:30
log/sysbacktrace.26:30
log/sysbacktrace.58:30
log/sysbacktrace.43:30
log/sysbacktrace.45:30
log/sysbacktrace.71:30
log/sysbacktrace.52:30
log/sysbacktrace.62:30
log/sysbacktrace.57:30
log/sysbacktrace.11:30
log/sysbacktrace.49:30
log/sysbacktrace.19:30
log/sysbacktrace.63:30
log/sysbacktrace.36:30
log/sysbacktrace.20:30
log/sysbacktrace.48:30
log/sysbacktrace.02:30
log/sysbacktrace.87:30
log/sysbacktrace.27:30
log/sysbacktrace.70:30
log/sysbacktrace.12:30
log/sysbacktrace.72:30
log/sysbacktrace.76:30
log/sysbacktrace.81:30

4. Here is a grep that shows where the password is actually being recorded, it includes the system ip, the domain, the username and the password. (Username, domain, and password have been masked with ###).
root@ultidesk:~/logs# grep -R rpcclient2 * | more
..
log/sysbacktrace.84:0   500  9429  9428  18   0  9244 1328 -      S    ?          0:00 rpcclient2 //10.20.36.233/ -W #### -U #######%############# --param 10.20.36.233 system 1 1 0 RPC-EVENTLOG
log/sysbacktrace.84:0   500  9432  9431  19   0  9116 1328 -      S    ?          0:00 rpcclient2 //10.4.90.12/ -W #### -U #######%############# --param 10.4.90.12 security 1 1 0 RPC-EVENTLOG
log/sysbacktrace.84:0   500  9423  9422  18   0  8896 1328 -      S    ?          0:00 rpcclient2 //10.8.32.40/ -W #### -U #######%############# --param 10.8.32.40 system 1 1 0 RPC-EVENTLOG
log/sysbacktrace.84:0   500  7714  7713  18   0  8776 1328 -      S    ?          0:00 rpcclient2 //10.20.1.93/ -W #### -U #######%############# --param 10.20.1.93 security 1 1 0 RPC-EVENTLOG
log/sysbacktrace.84:0   500  9813  9812  15   0  8672 1848 -      S    ?          0:00 rpcclient2 //10.16.34.21/ -W #### -U #######%############# --param 10.16.34.21 security 1 1 0 RPC-EVENTLOG
log/sysbacktrace.84:0   500  9303  9302  19   0  8448 1328 -      S    ?          0:00 rpcclient2 //10.30.25.130/ -W #### -U #######%############# --param 10.30.25.130 system 1 1 0 RPC-EVENTLOG
log/sysbacktrace.84:0   500  7702  7701  21   0  8392 1328 -      S    ?          0:00 rpcclient2 //10.20.1.97/ -W #### -U #######%############# --param 10.20.1.97 security 1 1 0 RPC-EVENTLOG
..

5. Granted access to the sysbacktrace logs is only possible with ssh access to the box however these logs if attached to a support ticket through email are sent in the clear, or if these log files are routinely dumped and stored the password is avliable in clear text. Additionally in most cases MARS will be monitoring Active Directory data in order to access Domain Controllers Domain Admin rights must be included in the account.


Replies to this exploit:

From: Eloy Paris elparis@cisco.com
Sent: Fri 21. Aug 2009 13:00
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ryan,

On Fri, Aug 21, 2009 at 09:24:18AM -0600, ryan.wessels@kohler.com wrote:

> 1. First after logging onto the console either pnlog mailto, or pnlog
> scpto will send the logs off of the box to a destination you specify,
> you can also display the logs using pnlog show.

[...]

> 3. Now executing grep for a portion of the password that MARS uses to
> access Windows Devices (password masked with ####). We can see that in
> this case every iterration of sysbacktrace.X containes 30 occurances
> of our password (95 files 30 occurances each = 2,850 occurances of our
> password):

[...]

> 5. Granted access to the sysbacktrace logs is only possible with
> ssh access to the box however these logs if attached to a support
> ticket through email are sent in the clear, or if these log files are
> routinely dumped and stored the password is avliable in clear text.
> Additionally in most cases MARS will be monitoring Active Directory
> data in order to access Domain Controllers Domain Admin rights must
> be included in the account.

This is definitely a bug; we should not be sending any passwords to any
log file. Ive filed Cisco Bug CSCtb52450 ("Passwords in CS-MARS log
files") against CS-MARS so this problem is taken care of. People can
monitor progress of this bug via the Cisco Bug Toolkit on cisco.com at:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb52450

Note that since the bug has just been created it has not yet propagated
to the Cisco Bug Toolkit application, so it is not currently visible
there. It should become visible within the next 24 hours.

Thanks for the report, and please let me know if you have any questions
or concerns.

Cheers,

- -- 

Eloy Paris
Cisco Product Security Incident Response Team (PSIRT)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqO0qAACgkQagjTfAtNY9hpqgCcDk4ruXQJawvZvu3AOBMmk6Gv
14IAn1LSuLRaF5NpiT4EJRYESOdzqgjJ
=7zeb
-----END PGP SIGNATURE-----


From: Eloy Paris elparis@cisco.com
Sent: Fri 21. Aug 2009 13:00
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ryan,

On Fri, Aug 21, 2009 at 09:24:18AM -0600, ryan.wessels@kohler.com wrote:

> 1. First after logging onto the console either pnlog mailto, or pnlog
> scpto will send the logs off of the box to a destination you specify,
> you can also display the logs using pnlog show.

[...]

> 3. Now executing grep for a portion of the password that MARS uses to
> access Windows Devices (password masked with ####). We can see that in
> this case every iterration of sysbacktrace.X containes 30 occurances
> of our password (95 files 30 occurances each = 2,850 occurances of our
> password):

[...]

> 5. Granted access to the sysbacktrace logs is only possible with
> ssh access to the box however these logs if attached to a support
> ticket through email are sent in the clear, or if these log files are
> routinely dumped and stored the password is avliable in clear text.
> Additionally in most cases MARS will be monitoring Active Directory
> data in order to access Domain Controllers Domain Admin rights must
> be included in the account.

This is definitely a bug; we should not be sending any passwords to any
log file. Ive filed Cisco Bug CSCtb52450 ("Passwords in CS-MARS log
files") against CS-MARS so this problem is taken care of. People can
monitor progress of this bug via the Cisco Bug Toolkit on cisco.com at:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb52450

Note that since the bug has just been created it has not yet propagated
to the Cisco Bug Toolkit application, so it is not currently visible
there. It should become visible within the next 24 hours.

Thanks for the report, and please let me know if you have any questions
or concerns.

Cheers,

- -- 

Eloy Paris
Cisco Product Security Incident Response Team (PSIRT)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqO0qAACgkQagjTfAtNY9hpqgCcDk4ruXQJawvZvu3AOBMmk6Gv
14IAn1LSuLRaF5NpiT4EJRYESOdzqgjJ
=7zeb
-----END PGP SIGNATURE-----


From: Eloy Paris elparis@cisco.com
Sent: Fri 21. Aug 2009 13:00
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ryan,

On Fri, Aug 21, 2009 at 09:24:18AM -0600, ryan.wessels@kohler.com wrote:

> 1. First after logging onto the console either pnlog mailto, or pnlog
> scpto will send the logs off of the box to a destination you specify,
> you can also display the logs using pnlog show.

[...]

> 3. Now executing grep for a portion of the password that MARS uses to
> access Windows Devices (password masked with ####). We can see that in
> this case every iterration of sysbacktrace.X containes 30 occurances
> of our password (95 files 30 occurances each = 2,850 occurances of our
> password):

[...]

> 5. Granted access to the sysbacktrace logs is only possible with
> ssh access to the box however these logs if attached to a support
> ticket through email are sent in the clear, or if these log files are
> routinely dumped and stored the password is avliable in clear text.
> Additionally in most cases MARS will be monitoring Active Directory
> data in order to access Domain Controllers Domain Admin rights must
> be included in the account.

This is definitely a bug; we should not be sending any passwords to any
log file. Ive filed Cisco Bug CSCtb52450 ("Passwords in CS-MARS log
files") against CS-MARS so this problem is taken care of. People can
monitor progress of this bug via the Cisco Bug Toolkit on cisco.com at:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb52450

Note that since the bug has just been created it has not yet propagated
to the Cisco Bug Toolkit application, so it is not currently visible
there. It should become visible within the next 24 hours.

Thanks for the report, and please let me know if you have any questions
or concerns.

Cheers,

- -- 

Eloy Paris
Cisco Product Security Incident Response Team (PSIRT)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqO0qAACgkQagjTfAtNY9hpqgCcDk4ruXQJawvZvu3AOBMmk6Gv
14IAn1LSuLRaF5NpiT4EJRYESOdzqgjJ
=7zeb
-----END PGP SIGNATURE-----


From: Eloy Paris elparis@cisco.com
Sent: Fri 21. Aug 2009 13:00
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ryan,

On Fri, Aug 21, 2009 at 09:24:18AM -0600, ryan.wessels@kohler.com wrote:

> 1. First after logging onto the console either pnlog mailto, or pnlog
> scpto will send the logs off of the box to a destination you specify,
> you can also display the logs using pnlog show.

[...]

> 3. Now executing grep for a portion of the password that MARS uses to
> access Windows Devices (password masked with ####). We can see that in
> this case every iterration of sysbacktrace.X containes 30 occurances
> of our password (95 files 30 occurances each = 2,850 occurances of our
> password):

[...]

> 5. Granted access to the sysbacktrace logs is only possible with
> ssh access to the box however these logs if attached to a support
> ticket through email are sent in the clear, or if these log files are
> routinely dumped and stored the password is avliable in clear text.
> Additionally in most cases MARS will be monitoring Active Directory
> data in order to access Domain Controllers Domain Admin rights must
> be included in the account.

This is definitely a bug; we should not be sending any passwords to any
log file. Ive filed Cisco Bug CSCtb52450 ("Passwords in CS-MARS log
files") against CS-MARS so this problem is taken care of. People can
monitor progress of this bug via the Cisco Bug Toolkit on cisco.com at:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb52450

Note that since the bug has just been created it has not yet propagated
to the Cisco Bug Toolkit application, so it is not currently visible
there. It should become visible within the next 24 hours.

Thanks for the report, and please let me know if you have any questions
or concerns.

Cheers,

- -- 

Eloy Paris
Cisco Product Security Incident Response Team (PSIRT)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqO0qAACgkQagjTfAtNY9hpqgCcDk4ruXQJawvZvu3AOBMmk6Gv
14IAn1LSuLRaF5NpiT4EJRYESOdzqgjJ
=7zeb
-----END PGP SIGNATURE-----


From: Eloy Paris elparis@cisco.com
Sent: Fri 21. Aug 2009 13:00
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ryan,

On Fri, Aug 21, 2009 at 09:24:18AM -0600, ryan.wessels@kohler.com wrote:

> 1. First after logging onto the console either pnlog mailto, or pnlog
> scpto will send the logs off of the box to a destination you specify,
> you can also display the logs using pnlog show.

[...]

> 3. Now executing grep for a portion of the password that MARS uses to
> access Windows Devices (password masked with ####). We can see that in
> this case every iterration of sysbacktrace.X containes 30 occurances
> of our password (95 files 30 occurances each = 2,850 occurances of our
> password):

[...]

> 5. Granted access to the sysbacktrace logs is only possible with
> ssh access to the box however these logs if attached to a support
> ticket through email are sent in the clear, or if these log files are
> routinely dumped and stored the password is avliable in clear text.
> Additionally in most cases MARS will be monitoring Active Directory
> data in order to access Domain Controllers Domain Admin rights must
> be included in the account.

This is definitely a bug; we should not be sending any passwords to any
log file. Ive filed Cisco Bug CSCtb52450 ("Passwords in CS-MARS log
files") against CS-MARS so this problem is taken care of. People can
monitor progress of this bug via the Cisco Bug Toolkit on cisco.com at:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb52450

Note that since the bug has just been created it has not yet propagated
to the Cisco Bug Toolkit application, so it is not currently visible
there. It should become visible within the next 24 hours.

Thanks for the report, and please let me know if you have any questions
or concerns.

Cheers,

- -- 

Eloy Paris
Cisco Product Security Incident Response Team (PSIRT)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqO0qAACgkQagjTfAtNY9hpqgCcDk4ruXQJawvZvu3AOBMmk6Gv
14IAn1LSuLRaF5NpiT4EJRYESOdzqgjJ
=7zeb
-----END PGP SIGNATURE-----


From: Eloy Paris elparis@cisco.com
Sent: Fri 21. Aug 2009 13:00
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ryan,

On Fri, Aug 21, 2009 at 09:24:18AM -0600, ryan.wessels@kohler.com wrote:

> 1. First after logging onto the console either pnlog mailto, or pnlog
> scpto will send the logs off of the box to a destination you specify,
> you can also display the logs using pnlog show.

[...]

> 3. Now executing grep for a portion of the password that MARS uses to
> access Windows Devices (password masked with ####). We can see that in
> this case every iterration of sysbacktrace.X containes 30 occurances
> of our password (95 files 30 occurances each = 2,850 occurances of our
> password):

[...]

> 5. Granted access to the sysbacktrace logs is only possible with
> ssh access to the box however these logs if attached to a support
> ticket through email are sent in the clear, or if these log files are
> routinely dumped and stored the password is avliable in clear text.
> Additionally in most cases MARS will be monitoring Active Directory
> data in order to access Domain Controllers Domain Admin rights must
> be included in the account.

This is definitely a bug; we should not be sending any passwords to any
log file. Ive filed Cisco Bug CSCtb52450 ("Passwords in CS-MARS log
files") against CS-MARS so this problem is taken care of. People can
monitor progress of this bug via the Cisco Bug Toolkit on cisco.com at:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb52450

Note that since the bug has just been created it has not yet propagated
to the Cisco Bug Toolkit application, so it is not currently visible
there. It should become visible within the next 24 hours.

Thanks for the report, and please let me know if you have any questions
or concerns.

Cheers,

- -- 

Eloy Paris
Cisco Product Security Incident Response Team (PSIRT)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqO0qAACgkQagjTfAtNY9hpqgCcDk4ruXQJawvZvu3AOBMmk6Gv
14IAn1LSuLRaF5NpiT4EJRYESOdzqgjJ
=7zeb
-----END PGP SIGNATURE-----


From: Eloy Paris elparis@cisco.com
Sent: Fri 21. Aug 2009 13:00
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ryan,

On Fri, Aug 21, 2009 at 09:24:18AM -0600, ryan.wessels@kohler.com wrote:

> 1. First after logging onto the console either pnlog mailto, or pnlog
> scpto will send the logs off of the box to a destination you specify,
> you can also display the logs using pnlog show.

[...]

> 3. Now executing grep for a portion of the password that MARS uses to
> access Windows Devices (password masked with ####). We can see that in
> this case every iterration of sysbacktrace.X containes 30 occurances
> of our password (95 files 30 occurances each = 2,850 occurances of our
> password):

[...]

> 5. Granted access to the sysbacktrace logs is only possible with
> ssh access to the box however these logs if attached to a support
> ticket through email are sent in the clear, or if these log files are
> routinely dumped and stored the password is avliable in clear text.
> Additionally in most cases MARS will be monitoring Active Directory
> data in order to access Domain Controllers Domain Admin rights must
> be included in the account.

This is definitely a bug; we should not be sending any passwords to any
log file. Ive filed Cisco Bug CSCtb52450 ("Passwords in CS-MARS log
files") against CS-MARS so this problem is taken care of. People can
monitor progress of this bug via the Cisco Bug Toolkit on cisco.com at:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb52450

Note that since the bug has just been created it has not yet propagated
to the Cisco Bug Toolkit application, so it is not currently visible
there. It should become visible within the next 24 hours.

Thanks for the report, and please let me know if you have any questions
or concerns.

Cheers,

- -- 

Eloy Paris
Cisco Product Security Incident Response Team (PSIRT)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqO0qAACgkQagjTfAtNY9hpqgCcDk4ruXQJawvZvu3AOBMmk6Gv
14IAn1LSuLRaF5NpiT4EJRYESOdzqgjJ
=7zeb
-----END PGP SIGNATURE-----


From: Eloy Paris elparis@cisco.com
Sent: Fri 21. Aug 2009 13:00
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ryan,

On Fri, Aug 21, 2009 at 09:24:18AM -0600, ryan.wessels@kohler.com wrote:

> 1. First after logging onto the console either pnlog mailto, or pnlog
> scpto will send the logs off of the box to a destination you specify,
> you can also display the logs using pnlog show.

[...]

> 3. Now executing grep for a portion of the password that MARS uses to
> access Windows Devices (password masked with ####). We can see that in
> this case every iterration of sysbacktrace.X containes 30 occurances
> of our password (95 files 30 occurances each = 2,850 occurances of our
> password):

[...]

> 5. Granted access to the sysbacktrace logs is only possible with
> ssh access to the box however these logs if attached to a support
> ticket through email are sent in the clear, or if these log files are
> routinely dumped and stored the password is avliable in clear text.
> Additionally in most cases MARS will be monitoring Active Directory
> data in order to access Domain Controllers Domain Admin rights must
> be included in the account.

This is definitely a bug; we should not be sending any passwords to any
log file. Ive filed Cisco Bug CSCtb52450 ("Passwords in CS-MARS log
files") against CS-MARS so this problem is taken care of. People can
monitor progress of this bug via the Cisco Bug Toolkit on cisco.com at:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb52450

Note that since the bug has just been created it has not yet propagated
to the Cisco Bug Toolkit application, so it is not currently visible
there. It should become visible within the next 24 hours.

Thanks for the report, and please let me know if you have any questions
or concerns.

Cheers,

- -- 

Eloy Paris
Cisco Product Security Incident Response Team (PSIRT)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqO0qAACgkQagjTfAtNY9hpqgCcDk4ruXQJawvZvu3AOBMmk6Gv
14IAn1LSuLRaF5NpiT4EJRYESOdzqgjJ
=7zeb
-----END PGP SIGNATURE-----


From: Eloy Paris elparis@cisco.com
Sent: Fri 21. Aug 2009 13:00
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ryan,

On Fri, Aug 21, 2009 at 09:24:18AM -0600, ryan.wessels@kohler.com wrote:

> 1. First after logging onto the console either pnlog mailto, or pnlog
> scpto will send the logs off of the box to a destination you specify,
> you can also display the logs using pnlog show.

[...]

> 3. Now executing grep for a portion of the password that MARS uses to
> access Windows Devices (password masked with ####). We can see that in
> this case every iterration of sysbacktrace.X containes 30 occurances
> of our password (95 files 30 occurances each = 2,850 occurances of our
> password):

[...]

> 5. Granted access to the sysbacktrace logs is only possible with
> ssh access to the box however these logs if attached to a support
> ticket through email are sent in the clear, or if these log files are
> routinely dumped and stored the password is avliable in clear text.
> Additionally in most cases MARS will be monitoring Active Directory
> data in order to access Domain Controllers Domain Admin rights must
> be included in the account.

This is definitely a bug; we should not be sending any passwords to any
log file. Ive filed Cisco Bug CSCtb52450 ("Passwords in CS-MARS log
files") against CS-MARS so this problem is taken care of. People can
monitor progress of this bug via the Cisco Bug Toolkit on cisco.com at:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb52450

Note that since the bug has just been created it has not yet propagated
to the Cisco Bug Toolkit application, so it is not currently visible
there. It should become visible within the next 24 hours.

Thanks for the report, and please let me know if you have any questions
or concerns.

Cheers,

- -- 

Eloy Paris
Cisco Product Security Incident Response Team (PSIRT)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqO0qAACgkQagjTfAtNY9hpqgCcDk4ruXQJawvZvu3AOBMmk6Gv
14IAn1LSuLRaF5NpiT4EJRYESOdzqgjJ
=7zeb
-----END PGP SIGNATURE-----


From: Eloy Paris elparis@cisco.com
Sent: Fri 21. Aug 2009 13:00
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ryan,

On Fri, Aug 21, 2009 at 09:24:18AM -0600, ryan.wessels@kohler.com wrote:

> 1. First after logging onto the console either pnlog mailto, or pnlog
> scpto will send the logs off of the box to a destination you specify,
> you can also display the logs using pnlog show.

[...]

> 3. Now executing grep for a portion of the password that MARS uses to
> access Windows Devices (password masked with ####). We can see that in
> this case every iterration of sysbacktrace.X containes 30 occurances
> of our password (95 files 30 occurances each = 2,850 occurances of our
> password):

[...]

> 5. Granted access to the sysbacktrace logs is only possible with
> ssh access to the box however these logs if attached to a support
> ticket through email are sent in the clear, or if these log files are
> routinely dumped and stored the password is avliable in clear text.
> Additionally in most cases MARS will be monitoring Active Directory
> data in order to access Domain Controllers Domain Admin rights must
> be included in the account.

This is definitely a bug; we should not be sending any passwords to any
log file. Ive filed Cisco Bug CSCtb52450 ("Passwords in CS-MARS log
files") against CS-MARS so this problem is taken care of. People can
monitor progress of this bug via the Cisco Bug Toolkit on cisco.com at:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb52450

Note that since the bug has just been created it has not yet propagated
to the Cisco Bug Toolkit application, so it is not currently visible
there. It should become visible within the next 24 hours.

Thanks for the report, and please let me know if you have any questions
or concerns.

Cheers,

- -- 

Eloy Paris
Cisco Product Security Incident Response Team (PSIRT)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqO0qAACgkQagjTfAtNY9hpqgCcDk4ruXQJawvZvu3AOBMmk6Gv
14IAn1LSuLRaF5NpiT4EJRYESOdzqgjJ
=7zeb
-----END PGP SIGNATURE-----


From: Eloy Paris elparis@cisco.com
Sent: Fri 21. Aug 2009 13:00
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ryan,

On Fri, Aug 21, 2009 at 09:24:18AM -0600, ryan.wessels@kohler.com wrote:

> 1. First after logging onto the console either pnlog mailto, or pnlog
> scpto will send the logs off of the box to a destination you specify,
> you can also display the logs using pnlog show.

[...]

> 3. Now executing grep for a portion of the password that MARS uses to
> access Windows Devices (password masked with ####). We can see that in
> this case every iterration of sysbacktrace.X containes 30 occurances
> of our password (95 files 30 occurances each = 2,850 occurances of our
> password):

[...]

> 5. Granted access to the sysbacktrace logs is only possible with
> ssh access to the box however these logs if attached to a support
> ticket through email are sent in the clear, or if these log files are
> routinely dumped and stored the password is avliable in clear text.
> Additionally in most cases MARS will be monitoring Active Directory
> data in order to access Domain Controllers Domain Admin rights must
> be included in the account.

This is definitely a bug; we should not be sending any passwords to any
log file. Ive filed Cisco Bug CSCtb52450 ("Passwords in CS-MARS log
files") against CS-MARS so this problem is taken care of. People can
monitor progress of this bug via the Cisco Bug Toolkit on cisco.com at:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb52450

Note that since the bug has just been created it has not yet propagated
to the Cisco Bug Toolkit application, so it is not currently visible
there. It should become visible within the next 24 hours.

Thanks for the report, and please let me know if you have any questions
or concerns.

Cheers,

- -- 

Eloy Paris
Cisco Product Security Incident Response Team (PSIRT)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqO0qAACgkQagjTfAtNY9hpqgCcDk4ruXQJawvZvu3AOBMmk6Gv
14IAn1LSuLRaF5NpiT4EJRYESOdzqgjJ
=7zeb
-----END PGP SIGNATURE-----


From: Eloy Paris elparis@cisco.com
Sent: Fri 21. Aug 2009 13:00
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ryan,

On Fri, Aug 21, 2009 at 09:24:18AM -0600, ryan.wessels@kohler.com wrote:

> 1. First after logging onto the console either pnlog mailto, or pnlog
> scpto will send the logs off of the box to a destination you specify,
> you can also display the logs using pnlog show.

[...]

> 3. Now executing grep for a portion of the password that MARS uses to
> access Windows Devices (password masked with ####). We can see that in
> this case every iterration of sysbacktrace.X containes 30 occurances
> of our password (95 files 30 occurances each = 2,850 occurances of our
> password):

[...]

> 5. Granted access to the sysbacktrace logs is only possible with
> ssh access to the box however these logs if attached to a support
> ticket through email are sent in the clear, or if these log files are
> routinely dumped and stored the password is avliable in clear text.
> Additionally in most cases MARS will be monitoring Active Directory
> data in order to access Domain Controllers Domain Admin rights must
> be included in the account.

This is definitely a bug; we should not be sending any passwords to any
log file. Ive filed Cisco Bug CSCtb52450 ("Passwords in CS-MARS log
files") against CS-MARS so this problem is taken care of. People can
monitor progress of this bug via the Cisco Bug Toolkit on cisco.com at:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb52450

Note that since the bug has just been created it has not yet propagated
to the Cisco Bug Toolkit application, so it is not currently visible
there. It should become visible within the next 24 hours.

Thanks for the report, and please let me know if you have any questions
or concerns.

Cheers,

- -- 

Eloy Paris
Cisco Product Security Incident Response Team (PSIRT)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqO0qAACgkQagjTfAtNY9hpqgCcDk4ruXQJawvZvu3AOBMmk6Gv
14IAn1LSuLRaF5NpiT4EJRYESOdzqgjJ
=7zeb
-----END PGP SIGNATURE-----


From: Eloy Paris elparis@cisco.com
Sent: Fri 21. Aug 2009 13:00
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ryan,

On Fri, Aug 21, 2009 at 09:24:18AM -0600, ryan.wessels@kohler.com wrote:

> 1. First after logging onto the console either pnlog mailto, or pnlog
> scpto will send the logs off of the box to a destination you specify,
> you can also display the logs using pnlog show.

[...]

> 3. Now executing grep for a portion of the password that MARS uses to
> access Windows Devices (password masked with ####). We can see that in
> this case every iterration of sysbacktrace.X containes 30 occurances
> of our password (95 files 30 occurances each = 2,850 occurances of our
> password):

[...]

> 5. Granted access to the sysbacktrace logs is only possible with
> ssh access to the box however these logs if attached to a support
> ticket through email are sent in the clear, or if these log files are
> routinely dumped and stored the password is avliable in clear text.
> Additionally in most cases MARS will be monitoring Active Directory
> data in order to access Domain Controllers Domain Admin rights must
> be included in the account.

This is definitely a bug; we should not be sending any passwords to any
log file. Ive filed Cisco Bug CSCtb52450 ("Passwords in CS-MARS log
files") against CS-MARS so this problem is taken care of. People can
monitor progress of this bug via the Cisco Bug Toolkit on cisco.com at:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb52450

Note that since the bug has just been created it has not yet propagated
to the Cisco Bug Toolkit application, so it is not currently visible
there. It should become visible within the next 24 hours.

Thanks for the report, and please let me know if you have any questions
or concerns.

Cheers,

- -- 

Eloy Paris
Cisco Product Security Incident Response Team (PSIRT)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqO0qAACgkQagjTfAtNY9hpqgCcDk4ruXQJawvZvu3AOBMmk6Gv
14IAn1LSuLRaF5NpiT4EJRYESOdzqgjJ
=7zeb
-----END PGP SIGNATURE-----


From: Eloy Paris elparis@cisco.com
Sent: Fri 21. Aug 2009 13:00
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ryan,

On Fri, Aug 21, 2009 at 09:24:18AM -0600, ryan.wessels@kohler.com wrote:

> 1. First after logging onto the console either pnlog mailto, or pnlog
> scpto will send the logs off of the box to a destination you specify,
> you can also display the logs using pnlog show.

[...]

> 3. Now executing grep for a portion of the password that MARS uses to
> access Windows Devices (password masked with ####). We can see that in
> this case every iterration of sysbacktrace.X containes 30 occurances
> of our password (95 files 30 occurances each = 2,850 occurances of our
> password):

[...]

> 5. Granted access to the sysbacktrace logs is only possible with
> ssh access to the box however these logs if attached to a support
> ticket through email are sent in the clear, or if these log files are
> routinely dumped and stored the password is avliable in clear text.
> Additionally in most cases MARS will be monitoring Active Directory
> data in order to access Domain Controllers Domain Admin rights must
> be included in the account.

This is definitely a bug; we should not be sending any passwords to any
log file. Ive filed Cisco Bug CSCtb52450 ("Passwords in CS-MARS log
files") against CS-MARS so this problem is taken care of. People can
monitor progress of this bug via the Cisco Bug Toolkit on cisco.com at:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb52450

Note that since the bug has just been created it has not yet propagated
to the Cisco Bug Toolkit application, so it is not currently visible
there. It should become visible within the next 24 hours.

Thanks for the report, and please let me know if you have any questions
or concerns.

Cheers,

- -- 

Eloy Paris
Cisco Product Security Incident Response Team (PSIRT)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqO0qAACgkQagjTfAtNY9hpqgCcDk4ruXQJawvZvu3AOBMmk6Gv
14IAn1LSuLRaF5NpiT4EJRYESOdzqgjJ
=7zeb
-----END PGP SIGNATURE-----


From: Eloy Paris elparis@cisco.com
Sent: Fri 21. Aug 2009 13:00
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ryan,

On Fri, Aug 21, 2009 at 09:24:18AM -0600, ryan.wessels@kohler.com wrote:

> 1. First after logging onto the console either pnlog mailto, or pnlog
> scpto will send the logs off of the box to a destination you specify,
> you can also display the logs using pnlog show.

[...]

> 3. Now executing grep for a portion of the password that MARS uses to
> access Windows Devices (password masked with ####). We can see that in
> this case every iterration of sysbacktrace.X containes 30 occurances
> of our password (95 files 30 occurances each = 2,850 occurances of our
> password):

[...]

> 5. Granted access to the sysbacktrace logs is only possible with
> ssh access to the box however these logs if attached to a support
> ticket through email are sent in the clear, or if these log files are
> routinely dumped and stored the password is avliable in clear text.
> Additionally in most cases MARS will be monitoring Active Directory
> data in order to access Domain Controllers Domain Admin rights must
> be included in the account.

This is definitely a bug; we should not be sending any passwords to any
log file. Ive filed Cisco Bug CSCtb52450 ("Passwords in CS-MARS log
files") against CS-MARS so this problem is taken care of. People can
monitor progress of this bug via the Cisco Bug Toolkit on cisco.com at:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb52450

Note that since the bug has just been created it has not yet propagated
to the Cisco Bug Toolkit application, so it is not currently visible
there. It should become visible within the next 24 hours.

Thanks for the report, and please let me know if you have any questions
or concerns.

Cheers,

- -- 

Eloy Paris
Cisco Product Security Incident Response Team (PSIRT)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqO0qAACgkQagjTfAtNY9hpqgCcDk4ruXQJawvZvu3AOBMmk6Gv
14IAn1LSuLRaF5NpiT4EJRYESOdzqgjJ
=7zeb
-----END PGP SIGNATURE-----


From: Eloy Paris elparis@cisco.com
Sent: Fri 21. Aug 2009 13:00
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ryan,

On Fri, Aug 21, 2009 at 09:24:18AM -0600, ryan.wessels@kohler.com wrote:

> 1. First after logging onto the console either pnlog mailto, or pnlog
> scpto will send the logs off of the box to a destination you specify,
> you can also display the logs using pnlog show.

[...]

> 3. Now executing grep for a portion of the password that MARS uses to
> access Windows Devices (password masked with ####). We can see that in
> this case every iterration of sysbacktrace.X containes 30 occurances
> of our password (95 files 30 occurances each = 2,850 occurances of our
> password):

[...]

> 5. Granted access to the sysbacktrace logs is only possible with
> ssh access to the box however these logs if attached to a support
> ticket through email are sent in the clear, or if these log files are
> routinely dumped and stored the password is avliable in clear text.
> Additionally in most cases MARS will be monitoring Active Directory
> data in order to access Domain Controllers Domain Admin rights must
> be included in the account.

This is definitely a bug; we should not be sending any passwords to any
log file. Ive filed Cisco Bug CSCtb52450 ("Passwords in CS-MARS log
files") against CS-MARS so this problem is taken care of. People can
monitor progress of this bug via the Cisco Bug Toolkit on cisco.com at:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb52450

Note that since the bug has just been created it has not yet propagated
to the Cisco Bug Toolkit application, so it is not currently visible
there. It should become visible within the next 24 hours.

Thanks for the report, and please let me know if you have any questions
or concerns.

Cheers,

- -- 

Eloy Paris
Cisco Product Security Incident Response Team (PSIRT)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqO0qAACgkQagjTfAtNY9hpqgCcDk4ruXQJawvZvu3AOBMmk6Gv
14IAn1LSuLRaF5NpiT4EJRYESOdzqgjJ
=7zeb
-----END PGP SIGNATURE-----