CERT-MU Vulnerability Note VN-2010-1
Novell iManager eDirectory Plug-in Remote Code Execution Vulnerability
Original Issue Date: January 12, 2010
Severity Rating: High
Systems Affected
Overview
A buffer overflow vulnerability has been reported in iManager component of Novell eDirectory which can be exploited by malicious people to execute arbitrary code on the victim system or crash the affected application.
Description
Novell iManager is a Web-based administration console that provides customized access to network administration utilities and content from virtually any location in the world.
This vulnerability is due to a boundary condition error when importing or exporting data from the schema information. During copying into a statically allocated stack, the sub-application fails to validate the length of the arguments which leads to a boundary condition error and results in remote code execution of the attacker data under the privileges of the application
Note: Authentication is not required to exploit this vulnerability
Solution
Install SP3 for iManager 2.7 and the eDirectory 2.7.3 Plug-in:
http://download.novell.com/SummaryFree.jsp?buildid=BJosshlLid0~.
Vendor Information
Novell
http://www.novell.com/support/viewContent.do?externalId=
7004985&sliceId=1
References
Novell
http://www.novell.com/support/viewContent.do?externalId=
7004985&sliceId=1
http://www.novell.com/products/edirectory/
http://www.novell.com/products/consoles/imanager/features.html
ZDI
http://www.zerodayinitiative.com/advisories/ZDI-10-001/
VUPEN
http://www.vupen.com/english/advisories/2010/0074
Securityfocus
http://www.securityfocus.com/bid/37672
Secunia
http://secunia.com/advisories/38030
CVE Name
CVE-2009-4486
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
|
