Security Advisory for NetWare 6.5 OpenSSH

  • 7006756
  • 30-Aug-2010
  • 26-Apr-2012

Environment

Novell NetWare 6.5

Situation

A vulnerability has been identified in NetWare 6.5 SSH which, if exploited repeatedly, could be used for a Denial-of-Service Attack. The flaw exists in SSHD.NLM and one of it's sub-modules, SFTP-SVR.NLM.

In SFTP or SCP sessions, if an authenticated user attempts to specify a file path which results in an absolute path over 512 characters, this will overflow the allocated memory buffer and corrupt the stack of the individual SFTP or SCP session. This typically results in an ABEND, as code pointers on the process stack can be corrupted and point to invalid or unexpected memory addresses. Typically, only the SFTP or SCP session in which the long path was specified is effected (halted by the ABEND). However, if this happened repeatedly, eventually other processes could be effected, through consumption of resources, arbitrary execution of other code in memory, etc.
 
CVE assignment pending.

Resolution

This report came to Novell after General Support for NetWare 6.5 had already been discontinued.  During this "Extended Support" phase, Novell will consider making fixes for security issues deemed "critical." Novell has reviewed the situation and determined the issue to be noncritical, for the following reasons:

1. The vulnerability is not "open," it is "controlled," as it requires a properly authenticated user session.

2. Individual instances of the problem typically only effect the session which triggered the problem. Other sessions, and the service as a whole, continue to run.

3. Loss of data does not occur.

4. Access to unauthorized data does not occur

5. Ability to load or execute unauthorized code is not granted

Additional Information

Despite the noncritical nature of this vulnerability, Novell initially made a fix for this issue, which corrected all aspects of the issue which had been reported. The individual who discovered the issue tested the fix and indicated there were some problems with it. However, he was not willing to provide details of the problems despite Novell's repeated requests. Without further cooperation, Novell was unable to continue pursuing the issue.

This vulnerability was discovered by Francis Provencher, Protek Research Lab, and reported through the TippingPoint Zero Day Initiative, ZDI-CAN-674.