Security Issue SQL Unauthenticated Vulnerability Note

Earlier we announced that SQL vulnerability issue has been resolved by adding Read/Write security control onto database configuration, however the security researcher Dan Rosenberg from VSR claimed that the vulnerability is not fully patched. We were forced to put this issue aside as we have putting on hold too many other features request earlier, and then when we returned to merge the production line with security fix, we were dragged by some crash issues for this fix and worst still bumped into unnecessary problem that due to breaking change in ADO update KB983246 (included in Windows 7 Service Pack 1).

And after the vulnerability is fixed we ourselves have been confused by the default configuration that has no Write security control. And finally after more tests and clarification from developer and analysts, last week ICS-CERT has confirmed via email that the reported SQL Unauthenticated Vulnerability has been resolved, that was right before we almost need to setup a conference call with ICS-CERT analysts.

ICS-CERT mail thread

So by the time ICS-CERT confirmed that issue has been *completely* resolved, the correspondence on one single vulnerability has accumulated up to 53 messages that span across three months. So far this is the vulnerability issue that we find most tedious to solve, and again we thank ICS-CERT for helping up in verifying this fix.

Due to the confusion arised, we have decided to accept ICS-CERT recommendation to make Write security level default to a value of 100, but Read level remains as 0 which is open for world reading. This means guest user no longer allow to acknowledge alarm nor delete any report by default, starting from this Release Candidate version 3.60.4042 or for any other version later.