=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN397
_____________________________________________________________________

DATE                      : 01/10/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Novell NetWare versions 6.x.

======================================================================
http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5059201.html
______________________________________________________________________

This document (5059201) is provided subject to the disclaimer at the end
of this document.

patches this patch supersedes
This patch does not supersede any other patches.

patches that supersede this patch
This patch is not superseded by any other patches.


patch attributes

Architecture: x86
Security patch: Yes
Priority: Mandatory
Distribution Type: Public

http://download.novell.com/Download?buildid=DNxmXuyVPuY~

document
Revision: 1
Document ID: 5059201
Creation Date: 2009-09-29 11:51:41


abstract

This download contains an updated portmapper (PKERNEL.NLM) to correct a
security vulnerability in the RPC function known as CALLIT. PKERNEL is
loaded on all default NetWare 6.5 systems, as it is used as part of the
Native File Access methods. Therefore, it is recommended that this update
be placed on all NetWare systems. However, if NFS (aka Native File Access
for Unix) is not needed, it is also possible to avoid this vulnerability
by remarking out NFSSTART.NCF from AUTOEXEC.NCF and rebooting. Also
contained is an updated NFS Server (XNFS.NLM) for NetWare 6.5 SP8
which corrects an error in permissions evaluation during a move (mv)
operation from an NFS client.


details

Overview:

System Requirements:

This update is designed to be used on top of NetWare 6.5 SP8. It is expected
that this can be used on top of NetWare 6.5 SP6 and SP7 as well, but this has
not been tested.


Installation:

1. Rename (or save elsewhere) the existing SYS:SYSTEM\XNFS.NLM and
SYS:SYSTEM\PKERNEL.NLM

2. Copy the enclosed XNFS.NLM and PKERNEL.NLM to SYS:SYSTEM.

3. There are a number of modules that may need to be unloaded to get the
new modules into place. Therefore, a reboot is the simplest way to get
the new files into effect. However, if a reboot is not desired, the
following can be executed at the system console:

UNLOAD NWFTPD #(if NetWare FTP is installed)
GYSTOP #(if NFS Gateway is installed)
NFSSTOP
UNLOAD PKERNEL #(it may already have been unloaded by this point)
NFSSTART
GYSTART #(if NFS Gateway needs to be loaded)
FTPSTART #(if NetWare FTP needs to be loaded)


Uninstalling:

Delete the new SYS:SYSTEM\XNFS.NLM and PKERNEL.NLM and put back the
copies that were saved in Installation step #1. Then perform Installation
step #3.


Technical Support Information:

Fix for Bugzilla 511420 - XNFS can't mv a file to another directory,
even when adequate permissions exist.

Fix for Bugzilla 515804 - PKERNEL potential buffer overflow in RPC CALLIT
function. See Security Fix section below for more details.


security fixes

Bugzilla 515804

CVE number is pending.

This vulnerability allows PKERNEL.NLM's stack buffer to be exceeded, potentially
resulting in processor faults, abends, or execution of arbitrary code (for
example, due to corrupted code pointers in the stack). Authentication is not
required to exploit this vulnerability.

The specific flaw exists within the processing of CALLIT RPC calls. The vulnerable
daemon explicitly trusts a length field when receiving data which is later copied
into a stack buffer, potentially resulting in a stack overflow. Successful
exploitation of this vulnerability could theoretically lead to remote code
execution under the context of the daemon.

The specific code containing the vulnerability is the implementation of the
CALLIT RPC call located in PKERNEL.NLM. The CALLIT RPC call is responsible
for forwarding requests to the actual service that it is queried for.

This vulnerability was discovered by Nick DeBaggis working with TippingPoint's
Zero Day Initiative. ZDI-CAN-497.

file contents

Compressed File Name: xnfs8a.zip
Files Included	Size	Date
xnfs8a/pkernel.nlm	183.4 KB (187886)	2009-08-12 16:00:20
xnfs8a/xnfs.nlm	205.3 KB (210284)	2009-07-07 16:20:38
readme_5059201.html	N/A	2009-09-29 11:54:55
readme.html	N/A	2009-09-29 11:54:55


disclaimer

The Origin of this information may be internal or external to Novell. Novell
makes all reasonable efforts to verify this information. However, the
information provided in this document is for your information only. Novell
makes no explicit or implied claims to the validity of this information. Any
trademarks referenced in this document are the property of their respective
owners. Consult your product manuals for complete trademark information.

Novell is a registered trademark of Novell, Inc. in the United States and
other countries. SUSE is a registered trademark of SUSE Linux AG, a Novell
business. *All third-party trademarks are the property of their respective
owners.

© 2007 Novell, Inc. All Rights Reserved.


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================