===================================================================== CERT-Renater Note d'Information No. 2010/VULN285 _____________________________________________________________________ DATE : 05/08/2010 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Novell ZENworks. ====================================================================== http://www.novell.com/support/viewContent.do?externalId=7006557&sliceId=1 ______________________________________________________________________ Security vulnerability with Remote Management password authentication This document (7006557) is provided subject to the disclaimer at the end of this document. Environment Novell ZENworks for Servers 3.0.2 - ZfS3.0.2 Novell ZENworks 7 Server Management Support Pack 1 - ZSM7 SP1 Novell ZENworks for Desktops 4 - ZfD4 Remote Management Novell ZENworks for Desktops 4.0.1 - ZfD4.0.1 Remote Management Novell ZENworks 7 Desktop Management Support Pack 1 - ZDM7 SP1 Remote Management Situation A hacker can reuse the Remote Management password information on the local managed device to authenticate into a remote session on another managed device when both the managed devices are configured with the same Remote Management password. Resolution Recommendation: 1. Disable password mode of authentication in the Remote Management policy, if its not being used. The property is disabled by default in the policy. 2. Distribute a common password via NAL or TED only in a trusted environment. Status Security Alert Additional Information The following conditions must be fulfilled for the hacker to play the attack: 1. Both the managed devices must be configured with the same password. Note: This may be common when a password is distributed to managed devices via NAL in case of ZDM 7.x and ZfD 4.x, and via TED in case of ZSM 7.x and ZfS 3.x. 2. The hacker must have access to a managed device configured with the Remote Management password. 3. The hacker needs to have knowledge of the protocol used for Remote Management password authentication. Note: 1. A hacker cannot reuse the Remote Management password on a managed workstation to authenticate into a remote session on a managed server, and vice-versa. 2. A hacker cannot exploit the vulnerability when the password mode of authentication is disabled on the target managed device. 3. A hacker cannot exploit the vulnerability when the passwords do not match on the local and target managed device. This vulnerability was discovered by ab, working with TippingPoint's Zero Day Iniative: TippingPoint ZDI-CAN-750 Document Document ID: 7006557 Creation Date: 08-03-2010 Modified Date: 08-04-2010 Novell Product: ZENworks Desktop Management Novell Product: ZENworks Server Management Disclaimer The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================