Environment
NetIQ Security Solutions for iSeries 8.1
Situation
ZDI-CAN-2699: NetIQ Security Solutions for ISeries NetIQExecObject.NetIQExec.1 SafeShellExecute Stack Buffer Overflow Remote Code Execution Vulnerability
Cross Reference - CVE-2015-0795
Resolution
In response to the report from February 2nd NetIQ has made the following changes to the NetIQ product (NetIQ Security Solutions for iSeries) and the NetIQ Security Solutions for iSeries download web site:
- Customers who run the self-extracting executable will no longer have the vulnerable NetIQExec.dll restored on their system.
- NetIQ Security Solution for iSeries download pages have been updated with the fixed self-extracting executable.
These changes should address the issues presented in ZDI-CAN-2699: NetIQ Security Solutions for ISeries NetIQExecObject.NetIQExec.1 SafeShellExecute Stack Buffer Overflow Remote Code Execution Vulnerability. These changes include an updated download package (posted on June 2015).
* This vulnerability does not affect the IBM i5OS server itself.
Cause
During the installation, a helper DLL is landed. This DLL is not needed for the execution of the product and should be removed. < C:\Program Files (x86)\NSSi81Setup\autorun\NetIQExec.dll>
Additional Information
Credit for the discovery of this vulnerability goes to:
Andrea Micalizzi (rgod) working with Zero Day Initiative (ZDI)