Environment
Novell iManager 2.7.3 FTF3 and prior
Situation
Novell iManager has two specific flaws that result in a stack-based buffer overflow vulnerability that can be exploited by authenticated users to execute arbitrary code, and to an off-by-one error that can be abused by remote, unauthenticated attackers to cause a Denial of Service to the application.
Stack-based buffer overflow:
Novell iManager provides a feature to create classes, under the 'Schema' menu. The class name is intended to have a maximum length of 32 characters. This limitation is enforced on the client side by setting a 'maxlength' property with a value of 32 in the proper form field, but no verification is performed on the server side to ensure that the user-defined class name is, at most, 32 characters long.
Off-by-one error:
*Note is issue has only been reproduced on the Windows version of iManager
There is an off-by-one error in the code that handles the login process, that can be abused by remote, unauthenticated users to crash the iManager web server, thus denying the service to legitimate users.
Stack-based buffer overflow:
Novell iManager provides a feature to create classes, under the 'Schema' menu. The class name is intended to have a maximum length of 32 characters. This limitation is enforced on the client side by setting a 'maxlength' property with a value of 32 in the proper form field, but no verification is performed on the server side to ensure that the user-defined class name is, at most, 32 characters long.
Off-by-one error:
*Note is issue has only been reproduced on the Windows version of iManager
There is an off-by-one error in the code that handles the login process, that can be abused by remote, unauthenticated users to crash the iManager web server, thus denying the service to legitimate users.
Resolution
This vulnerability is resolved by applying iManager 2.7.4 available at https://dl.netiq.com or available plugins in iManager configuration.
Status
Reported to EngineeringSecurity Alert
Additional Information
This vulnerability is reported as CORE-2010-0316 by CoreLabs, the research center of Core Security Technologies.