Novell Client 4.91 Format String Vulnerability

2006.12.07
Credit: dh layereddefense com
Risk: Low
Local: Yes
Remote: Yes
CVE: CVE-2006-6306
CWE: CWE-Other


CVSS Base Score: 1.2/10
Impact Subscore: 2.9/10
Exploitability Subscore: 1.9/10
Exploit range: Local
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

================================================== Layered Defense Advisory 1 December 2006 ================================================== 1) Affected Software Novell Client 4.91 SP2 Novell Client 4.91 SP2 Patch Kit Novell Client 4.91 SP3 Earlier versions may also be vulnerable ================================================== 2) SeverityRating: Low - Medium risk Impact: Read arbitrary memory, denial of service. ================================================== 3) Description of Vulnerability A format string vulnerability was discovered within Novell client 4.91 . The vulnerability is due to improper processing of format strings within NMAS (Novell Modular Authentication Services) Information message window. An attacker who enters special crafted format strings in the Username field at the Novell logon and selects Sequences under the NMAS tab can read data from the winlogon process stack or read from arbitrary memory, and at a minimum cause a denial of service. ================================================== 4) Solution Fix: Presently no patch is available. Work around: Disable NMAS Authentication ================================================== 5) Time Table: 07/15/2006 Reported Vulnerability to Vendor. 08/21/2006 Vendor released Novell Client - 4.91 SP2 Patch Kit which made the vulnerability worse. (This patch made it easier to read arbitrary memory) 09/17/2006 Contacted Vendor about increased risk with SP2 Patch Kit 11/28/2006 Received the following message from Vendor : At this point in time, development has determined this is a very low priority and apparently it will be some time before the issue is addressed. I have reported this to our Security Review Board so development's claim can be re-examined. As such, you certainly have every right to publish your findings at this time. The bug will remain open against the product. Hopefully this can be fixed in the near future ================================================== 6) CreditsDiscovered by Deral Heiland, www.LayeredDefense.com ================================================== 7) About Layered DefenseLayered Defense, Is a group of security professionals that work together on ethical Research, Testing and Training within the information security arena. http://www.layereddefense.com ==================================================


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top