===============================================================
Layered Defense Advisory 1 December 2006
===============================================================
1) Affected Software
Novell Client 4.91 SP2
Novell Client 4.91 SP2 Patch Kit “C”
Novell Client 4.91 SP3
Earlier versions may also be vulnerable
===============================================================
2) Severity
Rating: Low - Medium risk
Impact: Read arbitrary memory, denial of service.
===============================================================
3) Description of Vulnerability
A format string vulnerability was discovered within Novell client 4.91 . The vulnerability is due to improper processing of
format strings within NMAS (Novell Modular Authentication Services) Information message window. An attacker who
enters special crafted format strings in the Username field at the Novell logon and selects Sequences under the NMAS tab
can read data from the winlogon process stack or read from arbitrary memory, and at a minimum cause a denial of service.
===============================================================
4) Solution
Fix:
Novell Client 4.91 SP3
Novell 491psp3_loginw32.exe;
http://support.novell.com/servlet/filedownload/sec/ftf/491psp3_loginw3 2.exe
Novell Client 4.91 SP2
Novell 491psp2_login_5.exe
http://support.novell.com/servlet/filedownload/sec/ftf/491psp2_login_5 .exe
===============================================================
5) Time Table
07/15/2006 – Reported Vulnerability to Vendor.
08/21/2006 – Vendor released Novell Client - 4.91 SP2 Patch Kit "C" which made the vulnerability worse. (This patch
made it easier to read arbitrary memory)
09/17/2006 – Contacted Vendor about increased risk with SP2 Patch Kit “C”
11/28/2006 – Received the following message from Vendor :
At this point in time, development has determined this is a very low priority and apparently it will be some time before the
issue is addressed. I have reported this to our Security Review Board so development's claim can be re-examined. As
such, you certainly have every right to publish your findings at this time. The bug will remain open against the product.
Hopefully this can be fixed in the near future
11/30/2006 - Supplied vendor with a Proof of Concept that retrieved the RSA Private Key out of process memory.
12/12/2006 - Vendor supplies a fix
===============================================================
6) Credits
Discovered by Deral Heiland, www.LayeredDefense.com
===============================================================
7) References
CVE Reference:
CVE-2006-6306 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6306
===============================================================
8) About Layered Defense
Layered Defense, Is a group of security professionals that work together on ethical Research, Testing and Training within
the information security arena. http://www.layereddefense.com
===============================================================
Layered Defense Advisory 1 December 2006
===============================================================
1) Affected Software
Novell Client 4.91 SP2
Novell Client 4.91 SP2 Patch Kit “C”
Novell Client 4.91 SP3
Earlier versions may also be vulnerable
===============================================================
2) Severity
Rating: Low - Medium risk
Impact: Read arbitrary memory, denial of service.
===============================================================
3) Description of Vulnerability
A format string vulnerability was discovered within Novell client 4.91 . The vulnerability is due to improper processing of
format strings within NMAS (Novell Modular Authentication Services) Information message window. An attacker who
enters special crafted format strings in the Username field at the Novell logon and selects Sequences under the NMAS tab
can read data from the winlogon process stack or read from arbitrary memory, and at a minimum cause a denial of service.
===============================================================
4) Solution
Fix:
Novell Client 4.91 SP3
Novell 491psp3_loginw32.exe;
http://support.novell.com/servlet/filedownload/sec/ftf/491psp3_loginw3 2.exe
Novell Client 4.91 SP2
Novell 491psp2_login_5.exe
http://support.novell.com/servlet/filedownload/sec/ftf/491psp2_login_5 .exe
===============================================================
5) Time Table
07/15/2006 – Reported Vulnerability to Vendor.
08/21/2006 – Vendor released Novell Client - 4.91 SP2 Patch Kit "C" which made the vulnerability worse. (This patch
made it easier to read arbitrary memory)
09/17/2006 – Contacted Vendor about increased risk with SP2 Patch Kit “C”
11/28/2006 – Received the following message from Vendor :
At this point in time, development has determined this is a very low priority and apparently it will be some time before the
issue is addressed. I have reported this to our Security Review Board so development's claim can be re-examined. As
such, you certainly have every right to publish your findings at this time. The bug will remain open against the product.
Hopefully this can be fixed in the near future
11/30/2006 - Supplied vendor with a Proof of Concept that retrieved the RSA Private Key out of process memory.
12/12/2006 - Vendor supplies a fix
===============================================================
6) Credits
Discovered by Deral Heiland, www.LayeredDefense.com
===============================================================
7) References
CVE Reference:
CVE-2006-6306 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6306
===============================================================
8) About Layered Defense
Layered Defense, Is a group of security professionals that work together on ethical Research, Testing and Training within
the information security arena. http://www.layereddefense.com
===============================================================
 | |  | |  | |  | |  |
