Postgres service

This comment was originally posted on DCIM Support by Fabio Díaz on 2019-12-18

Information sent by the customer:

What version of DCE is the customer running? If they are not up to date, please update the system and re-verify the issue they claim to see.

R: Versión 7.6.0

How are they accessing the system?

R: StruxureWare Data Center Expert 7.6.0

How are they connecting to the database?

R:  This connection of the internal network between the Server and the database.

What tools are they using that shows we have a vulnerability?

R: Nexpose

If there is a specific vulnerability, please provide specific detail about that vulnerability.

R: The database allows any remote system the ability to connect to it. It is recommended to limit direct access to trusted systems because databases may contain sensitive data, and new vulnerabilities and exploits are discovered routinely for them. For this reason, it is a violation of PCI DSS section 1.3.6 to have databases listening on ports accessible from the Internet, even when protected with secure authentication mechanisms.

If there is some type of output from a tool they are using, please provide that output.

R: Restrict database access. Configure the database server to only allow access to trusted systems. For example, the PCI DSS standard requires you to place the database in an internal network zone, segregated from the DMZ

(CID:152570927)

This comment was originally posted on DCIM Support by Steven Marchetti on 2019-12-18

Hi Fabio,

The client does not directly access the database. Using an API and login credentials, the thick client or web interface access the system but not the database directly. The only way to access the database would be by using root access to the server and this is not permitted. We do not provide root access to customers.

DCE does not have an option to limit access by IP but it does limit by user. In response to the following comment:

For example, the PCI DSS standard requires you to place the database in an internal network zone, segregated from the DMZ

Placing the database in an internal network zone segregated from the DMZ is a customer network configuration and not a DCE configuration. This is something they are responsible for, not us.

I don't see information on how they're accessing the database. As I mentioned, the client or web interface uses an API to retrieve information and these answers don't really show anything different:

How are they accessing the system?

R: StruxureWare Data Center Expert 7.6.0

How are they connecting to the database?

R:  This connection of the internal network between the Server and the database.

I'm assuming that's just the client application. If the logged in user does not have the proper rights as defined in DCE, they can not access the system or it's data.

So again, they need to be able to limit access via their network. There does not appear to be a true CVE vulnerability that must be resolved by engineering. 

I can enter an enhancement request on behalf of the customer but I've not seen anyone else reference any issues with access in this way so I can't promise anything will be done about this. Having some customer information may also be helpful.

Steve

(CID:152570932)