Home / os / wins2003

NetIQ eDirectory NDS iMonitor 8.8 SP8 / 8.8 SP7 XSS / Memory Disclosure

Posted on 20 December 2014

SEC Consult Vulnerability Lab Security Advisory < 20141219-0 > ======================================================================= title: XSS & Memory Disclosure product: NetIQ eDirectory NDS iMonitor vulnerable version: 8.8 SP8, 8.8 SP7 fixed version: 8.8 SP8 HF 4, fix available for versions 8.8 SP7 (8.8.7.4 HF 4, 8.8.7.6 HF 3) CVE number: CVE-2014-5212, CVE-2014-5213 impact: High homepage: https://www.netiq.com/ found: 2014-10-29 by: W. Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ----------------------------- "eDirectory(TM) is a full-service, secure LDAP directory providing incredible scalability and an agile platform to run your organization's identity infrastructure and multi-platform network services." URL: https://www.netiq.com/products/edirectory/ Business recommendation: ------------------------ An attacker without an account on the NetIQ eDirectory NDS iMonitor is able to gain administrative access by luring an authenticated administrator to visit an attacker-controlled web site. Moreover, an authenticated attacker is able to retrieve internal data which potentially contains sensitive data. As the NetIQ eDirectory is often used to maintain a centralized user database it is a very attractive target for an attacker. By compromising this system, an attacker may be able to conduct further attacks on other systems. SEC Consult recommends to immediately conduct a full security review of this software, especially if used as a centralized user database. Vulnerability overview/description: ----------------------------------- 1) Memory Disclosure (CVE-2014-5213) Using crafted HTTP requests an administrative user can retrieve parts of the virtual memory from the service. This potentially discloses secret data like passwords. 2) Reflected Cross Site Scripting (XSS, CVE-2014-5212) A reflected cross site scripting vulnerability was identified. An attacker could take over the user account of a valid administrator. Proof of concept: ----------------- 1) Memory Disclosure (CVE-2014-5213) When accessing the following URL as an authenticated user, parts of the virtual memory can be retrieved: https://<host>:8030/nds/files/opt/novell/eDirectory/lib64/ndsimon/public/images 2) Reflected Cross Site Scripting (XSS, CVE-2014-5212) The following URL demonstrates a reflected XSS flaw: https://<host>:8030/nds/search/data?scope=st&rdn=%3C/script%20%3E%3Cscript%20%3Ealert%28%22XSS%22%29%3C/script%20%3E Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in the NetIQ eDirectory NDS iMonitor version 8.8 SP8, which was the most recent version at the time of discovery. Vendor contact timeline: ------------------------ 2014-10-29: Contacting security@netiq.com, sending responsible disclosure policy and PGP keys 2014-10-29: Vendor redirects to security@novell.com, providing PGP keys through Novell support page 2014-10-30: Sending encrypted security advisory to Novell 2014-10-30: Novell acknowledges the receipt of the advisory 2014-11-18: Novell: the vulnerabilities have been fixed by development; the patches will be release end of November 2014-12-08: Novell: the release has been pushed to Dec. 8th 2014-12-09: Novell: the release 8.8.8.4 should be released tomorrow; The hotfix for 8.8.7.6 is still pending 2014-12-17: Verifying release of advisory; asking whether patches have been released 2014-12-18: Novell: Patches have been released 2014-12-19: Coordinated release of security advisory Solution: --------- Update to the release 8.8.8.4 or apply fix for versions 8.8 SP 7. Workaround: ----------- No workaround available. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested to work with the experts of SEC Consult? Write to career@sec-consult.com EOF W. Ettlinger / @2014

 

TOP