ZDI-CAN-2699/CVE-2015-0795 NetIQExecObject.NetIQExec.1 SafeShellExecute Stack Buffer Overflow Remote Code Execution Vulnerability

  • Document ID:7016656
  • Creation Date:07-Jul-2015
  • Modified Date:09-Jul-2015
    • Micro Focus Products:
      Security Solutions for iSeries

Environment

NetIQ Security Solutions for iSeries 8.1

Situation

ZDI-CAN-2699: NetIQ Security Solutions for ISeries NetIQExecObject.NetIQExec.1 SafeShellExecute Stack Buffer Overflow Remote Code Execution Vulnerability
 
Cross Reference - CVE-2015-0795

Resolution

In response to the report from February 2nd   NetIQ has made the following changes to the NetIQ product (NetIQ Security Solutions for iSeries) and the NetIQ Security Solutions for iSeries download web site:

  1. Customers who run the self-extracting executable will no longer  have the vulnerable NetIQExec.dll restored on their system.
  2. NetIQ Security Solution for iSeries download pages have been updated with the fixed self-extracting executable.
These changes should address the issues presented in ZDI-CAN-2699: NetIQ Security Solutions for ISeries NetIQExecObject.NetIQExec.1 SafeShellExecute Stack Buffer Overflow Remote Code Execution Vulnerability.  These changes include an updated download package (posted on June 2015).
 
* This vulnerability does not affect the IBM i5OS server itself.

Cause

During the installation, a helper DLL is landed.  This DLL is not needed for the execution of the product and should be removed. < C:\Program Files (x86)\NSSi81Setup\autorun\NetIQExec.dll>

Additional Information

Credit for the discovery of this vulnerability goes to:
Andrea Micalizzi (rgod) working with Zero Day Initiative (ZDI)