[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 841/06 - Novell - Security advisories concerning vulnerabilities in Novell Netmail



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------------------------
       UNIRAS (UK Government CERT) Briefing - 841/06 Dated 29.12.06 Time 11:16  

UNIRAS is part of NISCC (the UK National Infrastructure Security  Co-ordination Centre)
---------------------------------------------------------------------------------------
 	UNIRAS material is available from the NISCC website at www.niscc.gov.uk
---------------------------------------------------------------------------------------

Title
=====
Security advisories concerning vulnerabilities in Novell Netmail

Detail
======

ZDI-06-052: Novell NetMail NMAP STOR Buffer Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-052.html
December 22, 2006

- -- CVE ID:
CVE-2006-6424

- -- Affected Vendor:
Novell

- -- Affected Products:
Novell NetMail 3.5.2

- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this vulnerability since September 14, 2006 by Digital Vaccine protection
filter ID 3902. For further product information on the TippingPoint IPS:

    http://www.tippingpoint.com 

- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Novell NetMail. Successful
exploitation requires the attacker to successfully authenticate to the affected service.

The specific flaw exists in NetMail's implementation of the Network Messaging Application Protocol (NMAP). The NMAP server lacks
bounds checking on parameters supplied to the STOR command, which can lead to an exploitable buffer overflow. The vulnerable daemon,
nmapd.exe, binds to TCP port 689.

- -- Vendor Response:
Novell has issued an update to correct this vulnerability. More details can be found at:

 
http://www.novell.com/support/search.do?cmd=displayKC&externalId=3096026&sliceId=SAL_Public

- -- Disclosure Timeline:
2006.09.08 - Vulnerability reported to vendor
2006.09.14 - Digital Vaccine released to TippingPoint customers
2006.12.22 - Coordinated public release of advisory

- -- Credit:
This vulnerability was discovered by Dennis Rand - CIRT.DK.

- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative
(ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at:

    http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is used.
3Com does not re-sell the vulnerability details or any exploit code.
Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion
prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an
official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com
provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability
protection or mitigation product.



ZDI-06-053: Novell NetMail IMAP Verb Literal Heap Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-053.html
December 22, 2006

- -- CVE ID:
CVE-2006-6424

- -- Affected Vendor:
Novell

- -- Affected Products:
Novell NetMail 3.5.2

- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this vulnerability since December 21, 2006 by Digital Vaccine protection
filter ID 4543. For further product information on the TippingPoint IPS:

    http://www.tippingpoint.com 

- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on affected versions of Novell NetMail. Authentication is not
required to exploit this vulnerability.

The specific flaw exists in the NetMail IMAP service, imapd.exe. The service does not sufficiently validate user-input length values
when literals are appended to IMAP verbs to specify a command continuation request. The memory allocated to store the additional
data may be insufficient, leading to an exploitable heap-based buffer overflow.

- -- Vendor Response:
Novell has issued an update to correct this vulnerability. More details can be found at:

 
http://www.novell.com/support/search.do?cmd=displayKC&externalId=3096026&sliceId=SAL_Public

- -- Disclosure Timeline:
2006.08.14 - Vulnerability reported to vendor
2006.12.21 - Digital Vaccine released to TippingPoint customers
2006.12.22 - Coordinated public release of advisory

- -- Credit:
This vulnerability was discovered by an anonymous researcher.

- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative
(ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at:

    http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is used.
3Com does not re-sell the vulnerability details or any exploit code.
Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion
prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an
official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com
provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability
protection or mitigation product.



ZDI-06-054: Novell NetMail IMAP APPEND Buffer Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-054.html
December 22, 2006

- -- CVE ID:
CVE-2006-6425

- -- Affected Vendor:
Novell

- -- Affected Products:
Novell NetMail 3.5.2

- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this vulnerability since December 21, 2006 by Digital Vaccine protection
filter ID 3868. For further product information on the TippingPoint IPS:

    http://www.tippingpoint.com 

- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Novell NetMail. Successful
exploitation requires the attacker to successfully authenticate to the affected service.

The specific flaw exists in the NetMail IMAP server's handling of the APPEND command. A lack of bounds checking on a specific
parameter to this command can lead to a stack-based buffer overflow. This vulnerability can be exploited to execute arbitrary code.

- -- Vendor Response:
Novell has issued an update to correct this vulnerability. More details can be found at:

 
http://www.novell.com/support/search.do?cmd=displayKC&externalId=3096026&sliceId=SAL_Public

- -- Disclosure Timeline:
2006.08.14 - Vulnerability reported to vendor
2006.12.21 - Digital Vaccine released to TippingPoint customers
2006.12.22 - Coordinated public release of advisory

- -- Credit:
This vulnerability was discovered by an anonymous researcher.

- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative
(ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at:

    http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is used.
3Com does not re-sell the vulnerability details or any exploit code.
Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion
prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an
official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com
provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability
protection or mitigation product.

- ---------------------------------------------------------------------------------------
NISCC values your feedback.

1. Which of the following most reflects the value of the briefing to you?
   (Place an 'X' next to your choice)

	Very useful:__ Useful:__ Not useful:__ 

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our briefings?


Thank you for your contribution.
- ---------------------------------------------------------------------------------------

For additional information or assistance, please contact our help desk by telephone.  
You may send Not Protectively Marked information via e-mail to uniras@xxxxxxxxxxxxx

Office hours:

Mon - Fri: 08:30 - 17:00 hours
Tel: +44 (0) 870 487 0748 and follow the voice prompts
Fax: +44 (0) 870 487 0749

On-call duty officer outside office hours:
Tel: +44 (0) 870 487 0748 and follow the voice prompts

- ---------------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of ZDI for the information contained 

in this briefing.
- ---------------------------------------------------------------------------------------

This notice contains information released by the original author. Some of the 
information may have changed since it was released. If the vulnerability affects you, 
it may be prudent to retrieve the advisory from the site of the original source to 
ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade name, 
trademark manufacturer, or otherwise, does not constitute or imply its endorsement, 
recommendation, or favouring by UNIRAS or NISCC. The views and opinions of authors 
expressed within this notice shall not be used for advertising or product endorsement 
purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors or omissions 
contained within this briefing notice. In particular, they shall not be liable for 
any loss or damage whatsoever, arising from or in connection with the usage of 
information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) and has 
contacts with other international Incident Response Teams (IRTs) in order to foster 
cooperation and coordination in incident prevention, to prompt rapid reaction to 
incidents, and to promote information sharing amongst its members and the community at 
large.
- ---------------------------------------------------------------------------------------
<End of UNIRAS Briefing>



-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRZT5Vml7oeQsXfKvEQLbywCg5WukMiFGLTf3O4K/BqtRA8G12e4An0o2
Gp/vL/VHGlzzNRN3NTlFVuoV
=7sfi
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________