Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection against Novell eDirectory Buffer Overflow Vulnerability

Subscribe

Check Point Reference: CPAI-2006-055
Date Published:
Severity:
Last Updated:
Source: ZDI-06-016
Industry Reference(s): CVE-2006-2496
Protection Provided by: VPN-1
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55W
InterSpect
  • NGX
Who is Vulnerable?
Novell iMonitor 2.4
Novell eDirectory 8.8
Vulnerability Description
A beffer overflow vulnerability has been identified in Novell eDirectory. By supplying an overly long URI, remote attackers could execute arbitrary code on vulnerable installations of Novell eDirectory.
Vulnerability Status
A Metasploit framework exploit module (edirectory_imonitor2.pm) is available.
Update/Patch Available
 
Vulnerability Details
The specific flaw exists within the iMonitor NDS Server, which by default exposes an HTTP interface on TCP port 8028. During the parsing of long URIs to the 'nds' path a stack-based buffer overflow occurs.

Protection Overview
Users of VPN-1 NGX R61, R60, VPN-1 NG with Application Intelligence R55W and users of InterSpect NGX are preemptively protected against this vulnerability. As part of security best practices, Web Intelligence limits the length of overly long URIs. The default values set for URI length protections will block this vulnerability.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information

 

VPN-1 NGX R61, R60 & VPN-1 NG with Application Intelligence R55W

How Can I Protect My Network?

1. Define the host you need to protect on as Web server and set the port to 8028. For information on how to set the port of the server on a port other than port 80, refer to CPSA-2005-13.
2. Make sure that the protection is activated: Click Web Intelligence > HTTP Protocol Inspection > HTTP Format Sizes. The default values configured for this protection will block the vulnerability.
3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020004 URL length exceeded allowed maximum length in request

InterSpect NGX

How Can I Protect My Network?

1. Define the host you need to protect on as Web server and set the port to 8028. For information on how to set the port of the server on a port other than port 80, refer to CPSA-2005-13.
2. Make sure that the protection is activated:

  • In the left pane, select Profiles > Default Protection and then select the Web Intelligence page of the profile.
  • Click Web Intelligence > HTTP Protocol Inspection > HTTP Format Sizes.
    The default values configured for this protection will block the vulnerability.
    3. Install security policy on all modules.

 

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020004 URL length exceeded allowed maximum length in request