[NEWS] Novell eDirectory NCP Fragment DoS Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Novell eDirectory NCP Fragment DoS Vulnerability
------------------------------------------------------------------------


SUMMARY

<http://www.novell.com/products/edirectory/> Novell eDirectory is "a
cross-platform lightweight directory access protocol (LDAP) server. In
addition to LDAP, eDirectory also implements NCP over IP". Remote
exploitation of a denial of service (DoS) vulnerability in Novell Inc.'s
eDirectory product could allow an attacker to force the running daemon to
cease servicing requests.

DETAILS

Vulnerable Systems:
* Novell Inc.'s eDirectory server with FTF1 applied version 8.8.1

The problem specifically exists within the NCP functionality of
eDirectory. Sending a sequence of specially crafted fragmented requests
will cause a DoS condition.

If the input is crafted properly, eDirectory will report to its error log
that a fragment has been received with an invalid length. The error
message includes the contents of the fragments in hexadecimal notation.
However, if the length is negative, eDirectory will try to dump data to
the log indefinitely. This results in a large amount of data being saved
to the log. Once the end of the heap segment is reached, a memory access
violation will occur and the server process will crash.

Analysis:
Successful exploitation of this vulnerability could allow an attacker to
crash the server process. No credentials are required. Repeated attacks
could allow the attacker to cause excessive disk space usage.

Vendor response:
Novell has addressed this problem within FTF2 for eDirectory 8.8.1. More
information is available in Novell Document ID 3924657 at the following
URL.

<http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=3924657&sliceId=SAL_Public> http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=3924657&sliceId=SAL_Public

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4520>
CVE-2006-4520

Disclosure Timeline:
08/17/2006 - Initial vendor notification
08/18/2006 - Initial vendor response
10/21/2006 - Second vendor notification
10/23/2006 - Vendor response
12/06/2006 - Third vendor notification
12/18/2006 - Vendor response
03/21/2007 - Fourth vendor notification
04/25/2007 - Fifth vendor notification
04/25/2007 - Vendor advised that the fix was in FTF2
04/26/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxx> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=518>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=518



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages