Novell Home

My Favorites

Close

Please to see your favorites.

Novell Teaming username enumeration vulnerability fix

This document (7002997) is provided subject to the disclaimer at the end of this document.

Environment

Products:
Novell Teaming 1.0
Novell Teaming 1.0 Support Pack 1
Novell Teaming 1.0 Support Pack 2
Novell Teaming 1.0 Support Pack 3
Novell Teaming + Conferencing
Novell SUSE Linux Enterprise Server 10
Novell SUSE Linux Enterprise Server 10 Support Pack 1
Windows 2003 Server

Configuration:
Novell Teaming is installed correctly.

Situation

Novell Teaming is vulnerable to Username Enumeration attacks in that the application reacts differently for valid and invalid usernames. This allows an attacker to deduce whether the specified username exists or not.

Resolution

The Liferay portal reacts differently for valid and invalid usernames. This allows an attacker to deduce whether a specific username exists.
 
Solution:
This is caused by the differences in text messages used to present the error conditions to users. By making these error text messages identical between the two cases, the vulnerability can be fixed. The following describes the steps for making the changes.
  • Stop Teaming
  • Make a backup copy of <tomcat directory>/webapps/ROOT/WEB-INF/lib/portal-impl.jar file in a safe place.
  • cd to a clean empty directory (example: /root/Documents/temp or c:\temp). Make the directory before hand if needed.
  • Unjar <tomcat directory>/webapps/ROOT/WEB-INF/lib/portal-impl.jar file into the directory using the following command:

    jar xvf <tomcat directory>/webapps/ROOT/WEB-INF/lib/portal-impl.jar
  • cd to content directory.
  • For each *.properties file in the directory, edit the file in a text editor and make the values of the following two properties - authentication-failed and please-enter-a-valid-login - exactly identical character by character. Repeat this step for every *.properties file in the directory.
  • Insert the updated files in content directory into the jar file by executing the following command.

    jar uvf <tomcat directory>/webapps/ROOT/WEB-INF/lib/portal-impl.jar content
  • Start Teaming

Status

Security Alert

Bug Number

478254

Additional Information

 Security risk: Low to Medium
 
Discovered and reported by: Konstantin Baurer and Michael Kirchner – SEC Consult Vulnerability Lab (http://www.sec-consult.com), CVE-2009-1293

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7002997
  • Creation Date:14-APR-09
  • Modified Date:27-APR-12
    • NovellVibe

Did this document solve your problem? Provide Feedback