HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2009-36
Novell eDirectory Management Console Accept–Language Request Buffer Overflow Vulnerability

Original Issue Date:March 19, 2009

Severity Rating: High

Systems Affected

  • Novell eDirectory 8.8.3 prior to patch 8.8.3 FTF3
  • Novell eDirectory 8.8.4 prior to patch 8.8.4 FTF1
  • Novell eDirectory 8.7.3 prior to patch 8.7.3.10b Hotfix 1

Overview

A buffer overflow vulnerability has been reported in iMonitor component of Novell eDirectory which can be exploited by malicious people to execute arbitrary code on the victim system.

Description

 Novell iMonitor provides cross-platform monitoring and diagnostic capability to all servers in the eDirectory tree and monitors servers from any location on the network where a Web browser is available.

This vulnerability is due to a boundary condition error when processing certain incoming HTTP requests. A remote unauthenticated attacker can exploit the vulnerability by sending a malicious HTTP request to the target system.

A successful attack leads to arbitrary code execution on the target host with System or root privileges. An unsuccessful attack can create a Denial of Service (DoS) condition for Novell eDirectory server.

Workaround

  • Restrict access to the affected communication port for trusted hosts and networks only     

Solution

Novell eDirectory 8.8 SP3:
Apply patch as mentioned in Novell Downloads- eDirectory

Vendor Information

Novell
http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/
readme_5042342.html
http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/
readme_5042341.html
http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/
readme_5042340.html

References

 Novell
http://www.novell.com/products/edirectory/
http://www.novell.com/support/viewContent.do?externalId=7001907

SecurityFocus
http://www.securityfocus.com/bid/33928/

SecurityReason
http://securityreason.com/wlb_show/WLB-2009030005


Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003