Architectural and security problems with NWFILTER.SYS

  • 3260263
  • 13-Feb-2008
  • 16-Mar-2012

Environment

Novell Client for Windows 2000/XP/2003 4.91 Support Pack 5
Novell Client for Windows 2000/XP/2003 4.91 Support Pack 4
Novell Client for Windows 2000/XP/2003 4.91 Support Pack 3
Novell Client for Windows 2000/XP/2003 4.91 Support Pack 2
Novell Client for Windows 2000/XP/2003 4.91 Support Pack 1a
Novell Client for Windows 2000/XP/2003 4.91 Support Pack 1

Situation

Local exploitation of an input validation error vulnerability within NWFILTER.SYS could allow an unprivileged attacker to execute arbitrary code within the kernel. In order to exploit the vulnerability, an attacker would need to first log in and must then be able to execute a specially-crafted executable.

Resolution

This problem has been resolved in the Novell Client 4.91 SP5. Novell recommends you upgrade to the current version of the Novell Client for Windows XP/2003 to resolve this problem.
 
For pre-4.91 SP5 versions of the Novell Client for Windows XP/2003:
 
Download and install the patch file appropriate to your version of the Novell Client for Windows XP/2003.

Novell Client 4.91 SP4:
Title: Novell Client post-4.91 SP4 NWFILTER
Filename: 491psp4_nwfilter.zip
Readme: https://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5006982.html

Novell Client 4.91 SP3:
Title: Novell Client post-4.91 SP3 NWFILTER
Filename: 491psp3_nwfilter.zip
Readme: https://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5006862.html

Novell Client 4.91, 4.91 SP1, 4.91 SP1a and 4.91 SP2:
Title: Novell Client post-4.91, SP1, and SP2 NWFILTER
Filename: 491presp3_nwfilter.zip
Readme: https://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5006983.html

Status

Security Alert

Additional Information

Architectural problems in the existing NWFILTER.SYS design have been the subject of blue screen and functionality problems for some Novell Client users. Because a redesign of the NWFILTER.SYS driver is already required to address these problems, Novell has opted to remove the NWFILTER.SYS driver entirely rather than patch just the security issue within the existing design of the Novell Client 4.91 SP4.

The Novell Client 4.91 SP5 includes NWFILTER.SYS and the "UNC Path Filter" feature, including a fix for the security vulnerability cited in this Technical Information Document.

Security vulnerability:
CVE-2007-5667, found by Stephen Fewer of Harmony Security (www.harmonysecurity.com) working with the VeriSign iDefense VCP.