The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Micro Focus Netware

computer vulnerability announce CVE-2011-4191

NetWare: buffer overflow of XNFS.NLM via RENAME, STAT or NLM_TEST

Synthesis of the vulnerability

A remote attacker can send a NFS packet with a large string, in order to create an overflow in NetWare XNFS.NLM, which leads to a denial of service or to code execution.
Impacted products: Netware.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 24/11/2011.
Revisions dates: 06/01/2012, 09/01/2012, 11/01/2012.
Identifiers: 5117430, 671020, BID-50804, BID-51352, CVE-2011-4191, PRL-2012-01, PRL-2012-02, PRL-2012-03, VIGILANCE-VUL-11177, ZDI-12-006, ZDI-12-007, ZDI-12-011.

Description of the vulnerability

The NFS filesystem is based on RPC (Remote Procedure Call). Parameters of RPC functions are encoded in XDR (eXtended Data Representation) format. This format thus represents booleans, integers, strings, etc.

The XNFS.NLM module implements the NFS service. Its xdrDecodeString() function decodes XDR blocks containing character strings.

The NFS_RENAME procedure renames a file. This procedure uses a filename indicated as parameter in XDR format. However, if name is too long, a buffer overflow occurs in xdrDecodeString(). [severity:3/4; BID-50804, PRL-2012-02, ZDI-12-006]

The STAT_NOTIFY procedure indicates information on a file. This procedure uses a filename indicated as parameter in XDR format. However, if name is too long, a buffer overflow occurs in xdrDecodeString(). [severity:3/4; BID-50804, PRL-2012-01, ZDI-12-007]

The NLM_TEST procedure uses a "caller_name" parameter in XDR format. However, if this parameter is too long, a buffer overflow occurs in xdrDecodeString(). [severity:3/4; BID-51352, PRL-2012-03, ZDI-12-011]

A remote attacker can therefore send a NFS packet with a large string, in order to create an overflow in NetWare XNFS.NLM, which leads to a denial of service or to code execution.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 10658

Novell Netware: denial of service via LDAP-SSL

Synthesis of the vulnerability

A remote attacker can create a denial of service via LDAP-SSL daemon.
Impacted products: Netware.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 16/05/2011.
Identifiers: BID-47858, NSENSE-2011-002, VIGILANCE-VUL-10658.

Description of the vulnerability

A LDAP-SSL daemon is installed with Netware and listen on port 636.

However when an attacker opens a socket on port 636, LDAP-SSL daemon does not properly check the contents of the socket and blindly allocated of memory, causing a denial of service.

A remote attacker can therefore create a denial of service via LDAP-SSL daemon.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2010-4228

Novell NetWare: buffer overflow of NWFTPD DELE

Synthesis of the vulnerability

An attacker can generate a buffer overflow in the FTP service of NetWare, in order to create a denial of service, and possibly to execute code.
Impacted products: Netware.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: internet client.
Creation date: 21/03/2011.
Identifiers: BID-46922, CVE-2010-4228, VIGILANCE-VUL-10467, ZDI-11-106.

Description of the vulnerability

The NWFTPD.NLM module implements the FTP service of Novell NetWare.

The FTP DELE command deletes a file. The NWFTPD.NLM module does not check the size of its parameter. An authenticated attacker can then create a buffer overflow.

Novell announced that other commands, which do not require authentication, are also impacted by a similar overflow.

An attacker can therefore generate a buffer overflow in the FTP service of NetWare, in order to create a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2010-4227

NetWare: memory corruption XNFS.NLM

Synthesis of the vulnerability

A remote attacker can send a NFS packet with a large string, in order to corrupt the memory of NetWare XNFS.NLM, which leads to a denial of service or to code execution.
Impacted products: Netware.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, denial of service on service.
Provenance: intranet client.
Creation date: 24/02/2011.
Identifiers: 639926, BID-46535, CERTA-2011-AVI-107, CVE-2010-4227, VIGILANCE-VUL-10395, ZDI-11-090.

Description of the vulnerability

The NFS filesystem is based on RPC (Remote Procedure Call). Parameters of RPC functions are encoded in XDR (eXtended Data Representation) format. This format thus represents booleans, integers, strings, etc.

The XNFS.NLM module implements the NFS service. Its xdrDecodeString() function decodes XDR blocks containing character strings. The string is decoded in two steps: it is first copied and then the '\0' character is set at the end.

If the XDR size is negative, XNFS.NLM does not copy it, but it sets the '\0' character at an address located outside the string storage area.

A remote attacker can therefore send a NFS packet with a large string, in order to corrupt the memory of NetWare XNFS.NLM, which leads to a denial of service or to code execution.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2009-5153

Novell NetWare: buffer overflow of PKERNEL RPC CALLIT

Synthesis of the vulnerability

A network attacker, who is not authenticated, can send a malicious RPC query to the server, in order to generate a denial of service and possibly to execute code.
Impacted products: Netware.
Severity: 3/4.
Consequences: administrator access/rights, data reading, data creation/edition, data deletion.
Provenance: intranet client.
Creation date: 01/10/2009.
Revision date: 15/11/2010.
Identifiers: 515804, BID-36564, CVE-2009-5153, VIGILANCE-VUL-9061, ZDI-09-067.

Description of the vulnerability

The PKERNEL.NLM (Portmapper) module manages RPC queries. This module is loaded by default, because it is used by the Native File Access feature.

The RPC CALLIT function of PKERNEL.NLM transfers queries to the associated RPC service. However, if a query is malformed, a stack overflow occurs.

A network attacker, who is not authenticated, can therefore send a malicious RPC query to the server, in order to generate a denial of service and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2010-0625

Novell Netware: buffer overflow of NWFTPD

Synthesis of the vulnerability

An attacker can generate a buffer overflow in the FTP service of Netware, in order to create a denial of service, and possibly to execute code.
Impacted products: Netware.
Severity: 3/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 30/03/2010.
Revisions dates: 06/04/2010, 07/09/2010.
Identifiers: 3238588, BID-39041, CVE-2010-0625, PRL-2010-03, VIGILANCE-VUL-9545, ZDI-10-062.

Description of the vulnerability

The NWFTPD.NLM module implements the FTP service of Novell Netware.

A path can contain "~user", which is equivalent to the Home Directory of this user.

An attacker, who is allowed to create a directory on the FTP service, can create a directory named "~A/~A/...". The expansion of this path generates an overflow in NWFTPD.NLM, when it is used :
 - RMD : directory deleted
 - RNFR : directory renamed
 - DELE : directory deleted

An attacker can therefore generate a buffer overflow in the FTP service of Netware, in order to create a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 9892

NetWare 6.5: buffer overflow of SSHD.NLM

Synthesis of the vulnerability

An authenticated attacker can generate a buffer overflow in the SSHD service of Netware, in order to create a denial of service, and possibly to execute code.
Impacted products: Netware.
Severity: 2/4.
Consequences: user access/rights, denial of service on server.
Provenance: user account.
Creation date: 01/09/2010.
Identifiers: 7006756, BID-42875, VIGILANCE-VUL-9892, ZDI-10-169.

Description of the vulnerability

The SSHD.NLM module implements the SSH service for Novell Netware.

The SCP and SFTP commands are used to transfer files via SSH. However, SSHD.NLM does not check the size of the paths, which creates a buffer overflow.

An authenticated attacker can therefore generate a buffer overflow in the SSHD service of Netware, in order to create a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 9715

Novell Netware: buffer overflow of CIFS.NLM

Synthesis of the vulnerability

An attacker can generate a buffer overflow in the CIFS service of Netware, in order to create a denial of service, and possibly to execute code.
Impacted products: Netware.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: intranet client.
Creation date: 17/06/2010.
Identifiers: 5076512, BID-40908, SS-2010-006, VIGILANCE-VUL-9715.

Description of the vulnerability

The CIFS.NLM module implements the CIFS/SMB service for Novell Netware.

The Session Setup AndX message is used to send the login (AccountName) and the password to the CIFS server. However, CIFS.NLM does not check the size of the AccountName field, which creates a buffer overflow.

An attacker can therefore generate a buffer overflow in the CIFS service of Netware, in order to create a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2010-0317

Novell Netware: denial of service via AFP et CIFS

Synthesis of the vulnerability

An attacker can generate a memory leak in AFP/CIFS implementations of Novell Netware, in order to generate a denial of service.
Impacted products: Netware.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 06/01/2010.
Identifiers: BID-37616, CVE-2010-0317, PRL-2009-27, VIGILANCE-VUL-9323.

Description of the vulnerability

The CIFS.NLM and AFPTCP.NLM modules implement following protocols :
 - CIFS/SMB - port 139/tcp and 445/tcp : Microsoft Windows file sharing
 - AFP (Apple Filing Protocol) - port 548/tcp : Apple file sharing (Appleshare)

When these modules handle malformed packets, they are ignored. However, all allocated memory areas are not freed.

An attacker can therefore generate a memory leak in AFP/CIFS implementations of Novell Netware, in order to generate a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2009-0696

BIND: denial of service of Dynamic Update

Synthesis of the vulnerability

An attacker can send a DNS Dynamic Update packet to a BIND server, which is master for a zone, in order to stop it, even if it is not configured for Dynamic Updates.
Impacted products: Debian, Fedora, FreeBSD, Tru64 UNIX, HP-UX, AIX, BIND, Mandriva Linux, Mandriva NF, NetBSD, Netware, OpenBSD, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SLES, TurboLinux, ESX, ESXi, VMware Server, vCenter Server, VirtualCenter.
Severity: 3/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 29/07/2009.
Identifiers: 264828, 538975, 6865903, BID-35848, c01835108, c01837667, CERTA-2009-AVI-302, CERTA-2009-AVI-413, CVE-2009-0696, DSA-1847-1, FEDORA-2009-8119, FreeBSD-SA-09:12.bind, HPSBTU02453, HPSBUX02451, MDVSA-2009:181, NetBSD-SA2009-013, RHSA-2009:1179-02, RHSA-2009:1180-01, RHSA-2009:1181-01, SSA:2009-210-01, SSRT090137, SSRT091037, SUSE-SA:2009:040, TLSA-2009-22, VIGILANCE-VUL-8897, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5, VU#725188.

Description of the vulnerability

A Dynamic Update packet is used to update records in a DNS server.

A DNS server can be authoritative (master or slave) for a zone.

There are several types of DNS requests: A, PTR, ANY, etc.

When BIND is configured as master for a zone, an attacker can send it a DNS Dynamic Update packet of type ANY, for one of its RR records. The dns_db_findrdataset() function of the db.c file checks this packet, before checking if Dynamic Update are allowed for this zone. However, as the packet is of type ANY (which is invalid in this case) an assertion error occurs in this function and stops BIND.

An attacker can therefore send a DNS Dynamic Update packet to a BIND server, which is master for a zone, in order to stop it, even if it is not configured for Dynamic Updates.

It can be noted that this vulnerability cannot be used to stop slave servers, so the DNS service is still partially alive.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.