SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Directory)  >  Novell eDirectory Vendors:  Novell
Novell eDirectory Role Based Services May Assign Elevated Privileges
SecurityTracker Alert ID:  1009955
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 27 2004
Impact:  Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Modification of authentication information, Modification of system information, Modification of user information
Vendor Confirmed:  Yes  
Version(s): 8.7
Description:  A vulnerability was reported in Novell eDirectory in the assignment of administrative privileges via Role Based Services (RBS). An authenticated user may be granted excessive privileges.

Novell reported that the RBS feature allocates eDirectory trustee assignments to the ROOT object that may be higher than the minimum required to complete a particular task or where the assigned rights do not directly pertain to the resource to be managed.

As a result, users added to Roles may report on or perform administration tasks for which they are not authorized.
Impact:  A user assigned to Roles may report on or perform administration tasks for which they are not authorized.
Solution:  As a solution, Novell indicates that you can modify the rights assignment for the Role and/or make the Role trustee assignment at the Resource to be managed (change the scope).
Vendor URL:  support.novell.com/cgi-bin/search/searchtid.cgi?/10092504.htm (Links to External Site)
Cause:  Access control error, Configuration error
Underlying OS:  Windows (NT), Windows (2000), Windows (2003)
Underlying OS Comments:  NetWare 5.1, 6, 6.5; Windows NT 4.0, 2000, 2003

Message History:   None.

 Source Message Contents
Date:  Tue, 27 Apr 2004 01:59:29 -0400
Subject:  http://support.novell.com/cgi-bin/search/searchtid.cgi?/10092504.htm

 

http://support.novell.com/cgi-bin/search/searchtid.cgi?/10092504.htm

Novell issued a Technical Information Document (TID10092504) reporting a vulnerability in 
eDirectory 8.7.  An authenticated user may be granted excessive administrative privileges.

The report indicates that Role Based Services (RBS) assigns eDirectory trustee assignments 
to the ROOT object that may be higher than the minimum required to complete a particular 
task or where the assigned rights do not directly pertain to the resource to be managed.

As a result, users added to Roles may report on or perform administration tasks for which 
they are not authorized.

As a solution, Novell indicates that you can modify the rights assignment for the Role 
and/or make the Role trustee assignment at the Resource to be managed (change the scope).

 > Document Title: Role Based Services (RBS) rights to ROOT
 > Document ID: 10092504
 > Solution ID: NOVL96526
 > Creation Date: 20APR2004
 > Modified Date: 20APR2004
 > Novell Product Class: Novell Directory Services


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC