Update for Novell ZENworks closes critical security holes
Novell has released an update for ZENworks Asset Management, a management and administration solution. It is intended to remove buffer overflows in the task server, collection server and collection client. According to reports from iDefense, attackers could use specific packets to remotely provoke buffer overflows and execute malicious code. On Windows systems the code then ran under the context system, in Unix as root.
All three vulnerabilities are based on a bug in the Msg.dll library as found in Novell ZENworks 7 Asset Management Support Pack 1 Interim Release 10 and prior versions. The collection client contains a static link to that library as well, meaning that the bug is also contained in CClient.exe, iDefense reports. The interim release SP1 IR11 fixes the bug.
- Novell ZENworks Asset Management Msg.dll Heap Overflow Vulnerability, bug description by iDefense
- Novell ZENworks Asset Management Collection Client Heap Overflow Vulnerability, bug description by iDefense