Проблемы безопасности в eDir

[Сергей Дубров]

Две ссылки от секунии:


----------------------------------------------------------------------

A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has
been released. The new version includes many new and advanced features,
which makes it even easier to stay patched.

Download and test it today:
https://psi.secunia.com/

Read more about this new version:
https://psi.secunia.com/?page=changelog

----------------------------------------------------------------------

TITLE:
Novell eDirectory eMBox Utility Unspecified Vulnerability

SECUNIA ADVISORY ID:
SA29527

VERIFY ADVISORY:
http://secunia.com/advisories/29527/

CRITICAL:
Less critical

IMPACT:
Exposure of system information, Exposure of sensitive information,
DoS

WHERE:
>From local network

SOFTWARE:
Novell eDirectory 8.x
http://secunia.com/product/1120/

DESCRIPTION:
A vulnerability has been reported in Novell eDirectory, which can be
exploited by malicious people to disclose potentially sensitive
information or cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error within the
eMBox utility and can be exploited to cause a DoS or gain access to
certain local files.

The vulnerability affects the following versions on all platforms:
* Novell eDirectory 8.8 and prior
* Novell eDirectory 8.7.3.9 and prior

SOLUTION:
eDirectory 8.8.x:
Update to version 8.8.2.

eDirectory 8.7.3:
The vendor recommends unloading the eMBox module. Please see the
vendor's advisory for details.

PROVIDED AND/OR DISCOVERED BY:
The vendor credits Nicholas Gregorie.

ORIGINAL ADVISORY:
Novell (3866911):
https://secure-support.novell.com/Kanis ... /3866911_f.
SAL_Public.html

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.


===


----------------------------------------------------------------------

A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has
been released. The new version includes many new and advanced features,
which makes it even easier to stay patched.

Download and test it today:
https://psi.secunia.com/

Read more about this new version:
https://psi.secunia.com/?page=changelog

----------------------------------------------------------------------

TITLE:
Novell eDirectory LDAP Extended Request Message Processing Buffer
Overflow

SECUNIA ADVISORY ID:
SA29476

VERIFY ADVISORY:
http://secunia.com/advisories/29476/

CRITICAL:
Moderately critical

IMPACT:
DoS, System access

WHERE:
>From local network

SOFTWARE:
Novell eDirectory 8.x
http://secunia.com/product/1120/

DESCRIPTION:
A vulnerability has been reported in Novell eDirectory, which can be
exploited by malicious people to cause a DoS (Denial of Service) or
compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the
processing of LDAP Extended Request messages and can be exploited to
cause a stack-based buffer overflow via a large LDAP Extended Request
message.

Successful exploitation may allow execution of arbitrary code.

The vulnerability affects the following versions on Solaris, Windows
2000/2003, and Linux systems:
* Novell eDirectory 8.8.1 and prior
* Novell eDirectory 8.7.3.9 and prior

SOLUTION:
Update to version 8.8.2 or apply eDirectory 8.7.3 sp10.
http://download.novell.com/

PROVIDED AND/OR DISCOVERED BY:
The vendor credits the Zero Day Initiative.

ORIGINAL ADVISORY:
Novell (3382120):
https://secure-support.novell.com/Kanis ... /3382120_f.
SAL_Public.html

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

===

Если для LDAP из eDir 8.7.3 есть SP10, решающий проблему, то для eMBox из 8.7.3 рекомендуется просто выгрузить модуль

[Иван Левшин aka Ivan L.]

До сих пор не пойму - нафик ембокс надобен. Зато имею в памяти чудесный пример, когда утиль какой-то из него валил стервер в абенд при смене пароля у пользователя, под которым он логинился в дерево. Так ша фтопку

[Сергей Дубров]

Решил новой темы не создавать. Получаю сегодня вот такое вот письмо из Новела:

===
Upon additional verification of the eDirectory 8.7.3 SP10 patch, Novell
determined that it's possible to abend the server during installation. It
only occurs if you select to view the Readme during the install process.
In addition, it only appears to happen on NetWare 6.5 SP7. Novell has not
been able to reproduce it on NetWare 6.5 SP6.

The root cause of the problem is a packaging issue - the readme.txt file
was not included. To rectify the problem, a new patch will be posted in
the next few days. There will only be one change. The proper readme.txt
file will be added.

To avoid this install problem, you have two options:

1. Use the current patch, and select "No" when prompted to view the
Readme.

2. Wait for the updated patch to be posted.

Thank you for your patience, as Novell resolves this issue. A followup
message will be sent when the updated patch is available. If you have any
questions, please feel free to contact me directly.

Jim Schnitter
Novell eDirectory Support
jschnitter@novell.com
(801) 861-3217
===

Шутники - readme.txt они забыли положить. На таких мелочах прокалываются...

[Иван Левшин aka Ivan L.]

Итить... Индусы новый мешок с травой, видать, раскупорили - не обвыклись еще.

[Boris Morozov]

либо читают до того как начинать давить на кнопки и ставить.

[Савельев Сергей]

либо читают до того как начинать давить на кнопки и ставить.

Полностью согласен. Нечего читать всякую ... во время установки

[Мещеряков Андрей]

либо читают до того как начинать давить на кнопки и ставить.

Полностью согласен. Нечего читать всякую ... во время установки

Наши люди

[Андрей Тр. aka RH]

В том смысле, что читать надо до того, как запустил инсталл. Ведь ридми идёт отдельным файлом.

Между тем, филиал Новелла в Бангалоре ничуть не уменьшается .. скорее наоборот

[Boris Morozov]

там кстати НИИ ЭВМ небезызвестный расположен. Лучше б они у наших заказывали, по крайней мере трава у нас менее забористая.

[Сергей Дубров]

Очередная часть марлезонского балета - сначала они в абенд падали от забытого readme.txt при установке eDir 8.7.3.10, теперь ещё хуже:

Novell has determined that it's possible for a server to stop
synchronizing objects once eDirectory 8.7.3 SP10 is installed. This
problem appears to affect all supported eDirectory 8.7.3 operating
systems. The root cause of the problem is that an object is incorrectly
populated with a "Network Address" attribute. The affected server can no
longer synchronize the object, as this attribute is not valid according to
the schema definitions. More details on this issue can be found in TID
7000100. In addition, this TID has steps to fix offending objects.

To rectify the problem, Novell is working on eDirectory 8.7.3 SP10a. This
support pack will completely replace eDirectory 8.7.3 SP10, which has
already been removed from the Novell download site. eDirectory 8.7.3
SP10a should be applied to any servers that currently have eDirectory
8.7.3 SP10.

Novell recommends the following course of action:

Do not apply eDirectory 8.7.3 SP10 on any server.


If you have applied eDirectory 8.7.3 SP10 and are experiencing a
synchronization issue, do the following:

a. Verify that it's caused by an object incorrectly populated with the
"Network Address" attribute.

b. Get to an eDirectory version that doesn't have the problem. There are
two different ways to do this:

- Back rev the affected servers to eDirectory 8.7.3 SP9 FTF3. This is the
recommended solution.

- On NetWare, backup the current ds.nlm and replace it with the one from
eDirectory 8.7.3 SP9 FTF3. On Windows, backup the current ds.dlm and
replace it with the one from eDirectory 8.7.3 SP9 FTF3. An equivalent
procedure for Linux and Solaris is under review; it will be sent in a
follow up message.

c. Fix the objects in question. (See TID 7000100.)

d. Upgrade the servers to SP10a, as soon as it's available.


If you have applied eDirectory 8.7.3 SP10 and are not experiencing the
synchronization issue, you have two options:

Option 1. Get to an eDirectory version that doesn't have the problem. You
can use either of the two different ways described above.

Option 2. Leave eDirectory 8.7.3 SP10 on the current servers and just
wait for eDirectory 8.7.3 SP10a. Once it's ready, the support pack must
be applied immediately.

(Note: Zen objects appear to be the ones most often incorrectly populated
with the "Network Address" attribute. If you don't have those in your
environment, it's possible that the synchronization issue will not occur.)


Thank you for your patience, as Novell resolves this issue. A followup
message will be sent when eDirectory 8.7.3 SP10a is available. At this
time, Novell does not have a estimated delivery date for this support
pack. As soon as an estimated delivery date is determined, that will be
sent out. If you have any questions, please feel free to contact me
directly.

Jim Schnitter
Novell eDirectory Support
jschnitter@novell.com

В общем, ждём eDir 8.7.3.10a. Как говорил в своё время Кирил Степанов, есть предложение скинуться на пакистанскую атомную бомбу - индусы достали уже

[Иван Левшин aka Ivan L.]

там кстати НИИ ЭВМ небезызвестный расположен. Лучше б они у наших заказывали, по крайней мере трава у нас менее забористая.

С вами они дружить не будут из-за Export restriction rules и потому, что батька - в опале.

[Андрей Тр. aka RH]

Novell SRM team Holi celebrations at Bangalore

The picture shows the festive spirit of the folks at Novell, Bangalore ..

[Мещеряков Андрей]

Что у них с лицами - экзема, парша или туйон?

[Андрей Тр. aka RH]

Это загар от мониторов от напряженной работы над новелловскими продуктами.

Holi is a popular, Hindu spring festival, observed in India, also called the "Festival of Colours" or sometimes "spring festival".

On the first day, bonfires are lit at night to signify burning the demoness Holika, Hiranyakashipu's sister.

On the second day, known as Dhuleti, people spend the day throwing coloured powder and water at each other.

[Иван Иванов]

Андрей Тр. aka RH