In association with heise online

17 January 2013, 16:52

Novell closes critical hole in eDirectory

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Novell logo Novell has fixed a buffer overflow problem that allows attackers to take control over the server process which is executed with super user privileges under Linux – the problem is remotely exploitable. The vulnerability was closed with the release of eDirectory 8.8 SP7 patch 2 6989 in December 2012 but the company has only publicised this information now.

David Klein reports on the Full Disclosure mailing list that the problem is apparently caused by a faulty implementation of the KeyedObjectLogin function. According to Klein, the bug is "trivially exploitable on Linux" due to the absence of a session cookie. As the software runs with root privileges, an attacker can gain full control of the eDirectory process.

eDirectory was formerly known as Novell Directory Services (NDS) and is an X.500 compatible directory service. The current version also supports the LDAPv3 protocol.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit