Environment
Novell NetWare 6.5 Support Pack 2
Novell NetWare 6.5 Support Pack 3
Novell NetWare 6.0
Novell NetWare 5.1
Situation
Object dddddddddddddddddddd shows up for no reason and
after object is deleted, it comes back.
A vulnerability has been reported in NetWare, which can be
exploited by malicious people to cause a DoS (Denial of
Service).
The vulnerability is caused due to an unspecified error in CIFS.NLM when handling password lengths and can be exploited to crash the service.
The vulnerability has been reported in NetWare 5.1, 6.0, 6.5 SP2 and 6.5 SP3.
NOTE: The "worm_rbot.ccc" worm, which exploits a Windows vulnerability, may reportedly trigger this vulnerability.
The vulnerability is caused due to an unspecified error in CIFS.NLM when handling password lengths and can be exploited to crash the service.
The vulnerability has been reported in NetWare 5.1, 6.0, 6.5 SP2 and 6.5 SP3.
NOTE: The "worm_rbot.ccc" worm, which exploits a Windows vulnerability, may reportedly trigger this vulnerability.
Resolution
1) All Novell servers will have to unload the CIFS module or be upgradedto the latest CIFS module. New CIFS modules do not have thevulnerability.
2) On all servers with replicas, stop DS synchronization:
set dstrace=!d
set dstrace=!s0 (The last
character is a zero)
3) Go to each server with a replica and
load DSBROWSE -A | TREE BROWSE to the object, hit F3
and delete selectedobject.
4) Re-enable DS synchronization:
set dstrace=!e
set dstrace=!s1
5) Run DSREPAIR | ADVANCED OPTIONS MENU | REPAIR LOCAL DS DATABASE | F10 on those boxes to clear any 601 errors.
6) Find the infected workstation and clean it up.