Novell Kanaka for Mac 2.7 trusts any SSL certificate during installation.

  • 7011965
  • 15-Mar-2013
  • 22-Apr-2013

Environment

Novell Kanaka for Mac

Situation

During the installation of Novell Kanaka for Mac 2.7, the product will trust any SSL certificate.  This creates a security threat that could give an attacker a opportunity to steal credentials.  While we feel that the threat is minimal since it is only an issue during the installation process, and access to the server during that time would be required, we do take this seriously and have made an update available which addresses this issue.

Resolution

Novell Kanaka for Macintosh is an add-on component for the Open Enterprise Server product.  Customers who have a current maintenance contract for OES are eligible to obtain the Kanaka product and licenses at no charge. 

The previously released version is 2.7.1.  The product team has created version 2.8. Version 2.8 is functionally equivalent to 2.7.1 with one change.  2.8 addresses a security vulnerability that can be exploited during the product installation. Once the system has been installed the vulnerability is no longer present.  Therefore previous installed 2.7.1 systems do not need the update in order to be secure, unless of course they re-install the software.

Both versions, 2.7.1 and 2.8 will be available on the customer portal for customers who own OES and have a current maintenance agreement.

Cause

A problem during the install process allows a would be attacker an opportunity, during the installation, to compromise credentials.

Additional Information

Credit for discovering and reporting this vulnerability is attributed to; swappiness0@gmail.com.