LMS 2.6 app security issues

Unanswered Question
Aug 28th, 2007
User Badges:
  • Gold, 750 points or more

LMS 2.6 is using TACACS for authentication only only. Just got two emails addressed to LMS admin, user1 (approver/network operator/network admin), and user2 (guest):


Admin or job owner has cancelled/deleted the following job:

Job Id: 1255

Job Description: Config Sync Cleanup

Job Schedule: At 07 May 2007, 06:45:00 EDT

Server: server1

Server Time-Zone: Eastern Standard Time(GMT -04:00:00)


Admin or job owner has cancelled/deleted the following job:

Job Id: 1240

Job Description: Config Sync

Job Schedule: At 30 Apr 2007, 06:15:00 EDT

Server: server1

Server Time-Zone: Eastern Standard Time(GMT -04:00:00)


After looking long and hard in CS and RME, I can't find any trace of these jobs any longer. Now I'll look on the test box with an older copy of the prod LMS db to see about restoring the two jobs.


It's incredible if either of the two non-admin users was able to delete these system jobs. On the other hand, I'd not be terribly surprised, since I've found that users with "network admin" privileges can change the LMS db backup location, and the transport setting used by all RME jobs. IMO, those types of functions should never be exposed to "network admin" users.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Tue, 08/28/2007 - 20:06
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

These jobs could have been deleted by the job owner. What does the audit trail under RME > Reports > Report Generator > Audit Trail say?

yjdabear Wed, 08/29/2007 - 05:30
User Badges:
  • Gold, 750 points or more

The job owner was Admin, but I wasn't aware of any job deletion/cancellation by Admin.


Audit Trail (for all users/activities) reports no surprises. Those two email notifications were received at 18:50 sharp.


Showing 1-17 of 17 records Go to page: of 1 pages

User Name Application Name Server Name Creation Time Description

1. admin Archive Mgmt 10.xx.xx.xx Aug 28 2007 16:37:06 Deploy Protocol Order changed from SSH,SCP,TFTP,TELNET to SSH,SCP,TFTP

2. admin Archive Mgmt 10.xx.xx.xx Aug 28 2007 16:36:57 Fetch Protocol Order changed from SSH,SCP,TFTP,TELNET to SSH,SCP,TFTP

3. admin ConfigEditor 10.xx.xx.xx Aug 28 2007 16:37:29 Fetch Protocol Order changed from SSH,SCP,TFTP,TELNET to SSH,SCP,TFTP

4. admin ConfigEditor 10.xx.xx.xx Aug 28 2007 16:37:40 Deploy Protocol Order changed from SSH,SCP,TFTP,TELNET to SSH,SCP,TFTP

5. admin NetConfig 10.xx.xx.xx Aug 28 2007 16:38:08 Fetch Protocol Order changed from SSH,SCP,TFTP,TELNET to SSH,SCP,TFTP

6. admin NetConfig 10.xx.xx.xx Aug 28 2007 16:38:17 Deploy Protocol Order changed from SSH,SCP,TFTP,TELNET to SSH,SCP,TFTP

7. admin NetShow 10.xx.xx.xx Aug 28 2007 16:38:42 Deploy Protocol Order changed from TELNET to SSH

8. admin CDA lms-server Aug 28 2007 16:56:46 Changed schedule for CDA purge job.

9. admin Archive Mgmt lms-server Aug 28 2007 16:58:51 Scheduled purge job for ArchiveMgmt at Aug 28 2007 18:50:00 with Job schedule type as Daily. Jobs older than 60 will be deleted.

10. admin Archive Mgmt lms-server Aug 28 2007 16:58:59 Scheduled purge job for ArchiveMgmt at Aug 28 2007 18:50:00 with Job schedule type as Daily. Jobs older than 60 will be deleted.

11. admin Archive Mgmt lms-server Aug 28 2007 16:59:15 Scheduled purge job for ArchiveMgmt at Aug 28 2007 18:50:00 with Job schedule type as Daily. Jobs older than 60 will be deleted.

12. admin Archive Mgmt lms-server Aug 28 2007 16:59:19 Scheduled purge job for ArchiveMgmt at Aug 28 2007 18:50:00 with Job schedule type as Daily. Jobs older than 60 will be deleted.

13. admin Archive Mgmt lms-server Aug 28 2007 16:59:23 Scheduled purge job for ArchiveMgmt at Aug 28 2007 18:50:00 with Job schedule type as Daily. Jobs older than 60 will be deleted.

14. admin Syslog Analyzer Service lms-server Aug 28 2007 19:59:48 Subscribed with the collector:pssva030

15. admin Syslog Analyzer Service lms-server Aug 28 2007 19:59:48 Subscribed with the collector:pssva030

16. admin ICServer lms-server Aug 28 2007 21:50:13 ICServer Job ID 1236.63 Deleted

17. admin ICServer lms-server Aug 28 2007 21:50:15 ICServer Job ID 1329 Deleted


Edit: One more piece of info that might shed some light, I adjusted the Archive Management Jobs in RME -> Admin -> System Pref - Job Purge Enabled 60 1197 Aug 29 2007 down from 180 days to 60 days. It's scheduled at 18:50:00. Could that have been the cause?

Joe Clarke Wed, 08/29/2007 - 08:37
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Sure, if the job purge job is running at 18:50, that would account for the deleted jobs. What I find disconcerting is that an audit trail entry was not built for this (an entry was only built when the job is scheduled which you do see). You can confirm this was the case by looking at the cjp.log (for config job purge jobs only).

yjdabear Wed, 08/29/2007 - 09:36
User Badges:
  • Gold, 750 points or more

Yep, found the trail in cjp.log:


[ Tue Aug 28 18:50:14 EDT 2007 ],INFO ,[main],com.cisco.nm.rmeng.config.ccjs.jo

bmanager.ConfigJobPurge,deleteJobs,266,Job deleted successfully 1255


[ Tue Aug 28 18:50:15 EDT 2007 ],INFO ,[main],com.cisco.nm.rmeng.config.ccjs.jo

bmanager.ConfigJobPurge,deleteJobs,266,Job deleted successfully 1240


Does it mean their deletions should've showed up in the Audit Trail report?


Joe Clarke Wed, 08/29/2007 - 09:42
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

I think they should have, but the code doesn't lie. The code needed to add audit trail records is not there.

Actions

This Discussion