Novell Teaming username enumeration vulnerability fix

  • 7002997
  • 14-Apr-2009
  • 27-Apr-2012

Environment

Products:
Novell Teaming 1.0
Novell Teaming 1.0 Support Pack 1
Novell Teaming 1.0 Support Pack 2
Novell Teaming 1.0 Support Pack 3
Novell Teaming + Conferencing
Novell SUSE Linux Enterprise Server 10
Novell SUSE Linux Enterprise Server 10 Support Pack 1
Windows 2003 Server

Configuration:
Novell Teaming is installed correctly.

Situation

Novell Teaming is vulnerable to Username Enumeration attacks in that the application reacts differently for valid and invalid usernames. This allows an attacker to deduce whether the specified username exists or not.

Resolution

The Liferay portal reacts differently for valid and invalid usernames. This allows an attacker to deduce whether a specific username exists.
 
Solution:
This is caused by the differences in text messages used to present the error conditions to users. By making these error text messages identical between the two cases, the vulnerability can be fixed. The following describes the steps for making the changes.
  • Stop Teaming
  • Make a backup copy of <tomcat directory>/webapps/ROOT/WEB-INF/lib/portal-impl.jar file in a safe place.
  • cd to a clean empty directory (example: /root/Documents/temp or c:\temp). Make the directory before hand if needed.
  • Unjar <tomcat directory>/webapps/ROOT/WEB-INF/lib/portal-impl.jar file into the directory using the following command:

    jar xvf <tomcat directory>/webapps/ROOT/WEB-INF/lib/portal-impl.jar
  • cd to content directory.
  • For each *.properties file in the directory, edit the file in a text editor and make the values of the following two properties - authentication-failed and please-enter-a-valid-login - exactly identical character by character. Repeat this step for every *.properties file in the directory.
  • Insert the updated files in content directory into the jar file by executing the following command.

    jar uvf <tomcat directory>/webapps/ROOT/WEB-INF/lib/portal-impl.jar content
  • Start Teaming

Status

Security Alert

Bug Number

478254

Additional Information

 Security risk: Low to Medium
 
Discovered and reported by: Konstantin Baurer and Michael Kirchner – SEC Consult Vulnerability Lab (http://www.sec-consult.com), CVE-2009-1293