Novell iChain Login Buffer Overflows Let Remote Users Crash the Software
|
|
SecurityTracker Alert ID: 1007323
|
|
CVE Reference: CAN-2003-0638
(Links to External Site)
|
Updated: Aug 4 2003
|
Original Entry Date: Jul 28 2003
|
Impact: Denial of service via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Description: Some vulnerabilities were reported in Novell's iChain security software. A remote user can cause denial of service conditions.
Novell reported that a remote user can run a "special script" against the login process to trigger a buffer overflow and cause an
ABEND (abnormal termination). They also reported that if iChain is configured to e-mail alerts, a remote user can send a login
name with more than 230 characters as part of an unsuccessful login attempt to triger a crash.
No further details were provided.
|
Impact: A remote user can cause iChain to crash.
|
Solution: The vendor has released Service Pack 3. The service pack is available at:
http://support.novell.com/servlet/filedownload/sec/pub/ic21sp3.exe
Information
on the patch is available at:
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2966560.htm
|
Vendor URL: support.novell.com/cgi-bin/search/searchtid.cgi?/2966560.htm (Links to External Site)
|
Cause: Boundary error
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 28 Jul 2003 17:50:45 -0400
Subject: http://support.novell.com/cgi-bin/search/searchtid.cgi?/2966560.htm
|
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2966560.htm
Novell released Service Pack 3 for iChain.
> Fixes in this Field Patch (since ic21sp2.exe):
> 1) Security Alerts:
> a) DoS caused by buffer overflow abend running special
> script against login.
> b) DoS/buffer overflow abend when a login name of more than 230 characters fails to
> successfully login and the emailing of alerts is enabled in iChain.
The service pack is available at:
http://support.novell.com/servlet/filedownload/sec/pub/ic21sp3.exe
|
|
