__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Novell iChain Telnet Service Vulnerability February 13, 2004 18:00 GMT Number O-080 ______________________________________________________________________________ PROBLEM: The iChain server contains a vulnerability in its telnet service. PLATFORM: Novell iChain version 2.2 Field Patch 3a and prior. DAMAGE: A remote attacker can connect and provide an arbitrary password to obtain unauthorized access. SOLUTION: Install the security patch. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. The telnet server is enabled by default, and ASSESSMENT: cannot be disabled. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-080.shtml ORIGINAL BULLETIN: http://www.novell.com/products/ichain/ ______________________________________________________________________________ [****** Start Novell Bulletin ******] iChain 2.2 Field Patch 3b - TID2968107 (last modified 06FEB2004) 2968107 2968107 associated file Click filename to download: ic22fp3b.exe; 11543825 bytes; Date/Time: 02-05-2004/03:12PM abstract iChain 2.2 Field Patch 3b version 2.2.116 This file contains updates for services contained in the iChain 2.2product. The purpose of the patch is to provide a bundle of enhancements and fixes for issues that have surfaced since iChain 2.2 Support Pack 2 was released. It is not recommended to install individual files from the patch. IC22SP2.EXE is not a prerequisite; IC22FP3b.EXE includes all fixes since iChain 2.2 shipped. installation Recommendations: Prior to placing ic22fp3b.exe in a production environment, test in an environment that mirrors the production environment. ic22fp3b.exe is a self-extracting file that will extract into three files: ichain22fp3b.zip, ichain22fp3b.txt and ic22fp3b.txt. ichain22fp3b.zip is the OTWUG (Over The Wire Upgrade). ichain22fp3b.txt is the installation file for the OTWUG. ic22fp3b.txt is the readme for the patch. Installing ic22fp3b.exe 1) Special notes for this OTWUG: a. NCPIP.NLM Has Been Renamed For security reasons, C:/NWSERVER/NCPIP.NLM was renamed to NCPIP.OLD. If login to the iChain server is desired NCPIP.NLM will have to be re-named to the original file name after the OTWUG completes. b. OAC.PROPERTIES Is Updated When you install this support pack, any OLAC custom plug-ins will be overwritten. To avoid this issue, back up your oac.properties file before installing this support pack, then copy the file back over once the support pack is successfully installed. If you have not modified the file previously, skip this step. c. APPSTART.NCF Is Updated Make note of any customized load lines in appstart.ncf prior to applying the patch. Do NOT include "load logevent" and "load lcache" if they appear in your current file. If "load logevent" and "load lcache" are in appstart.ncf, you might encounter the following abend: Abend on P00: SERVER-5.60-8716: Thread performed Illegal recursive LOADER operation when current LOADER state is non-recurisve OS version: Novell NetWare 5.60.02 July 10, 2002 ...Debug symbols are enabled! Running Process: Server 03 Process Stack: 16 20 E3 FC E0 02 04 D0 01 00 00 00 5E 9B E0 FC FC 65 8F D0 61 17 0B FC 4C 6F 61 64 69 6E 67 20 4D 6F 64 75 6C 65 20 4C 43 41 43 48 45 2E 4E 4C d. MESSAGES.CFG will be updated 2) Back-up all configuration files and third-party certificates. a. If the iChain server has a cloned drive (multiple drives), a clone update should be preformed prior to the upgrade, or b. Export the CURRENT.NAS, TUNE.NCF, APPSTART.NCF, MESSAGES.CFG (if customized, any third-party certificates, and any other customized login pages or files to floppy for backup purposes. Remove the floppy. 3) Copy ichain22fp3b.zip & ichain22fp3b.txt to a directory on a Web Server that can be accessed by the iChain appliance and a workstation that will run the iChain Appliance Configuration GUI. 4) Temporarily disable all accelerators or block public traffic. 5) If "Allow administration from specified clients" has been configured, add the IP address of the iChain server to the list. 6) Modify the URL line in the ichain22fp3b.txt file so that it contains the appropriate path/URL to the ichain22fp3b.zip file. Example: If the zip file was placed at the default/root directory of a Web Server with the IP address 10.10.10.1 then change url=http://** location**/ichain22fp3b.zip to url=http://10.10.10.1/ichain22fp3b.zip. 7) In the Appliance Configuration GUI under System | Upgrade | Install from URL, put in the matching URL to the .txt file. Using the example above: http://10.10.10.1/ichain22fp3b.txt. NOTE: Point to the .txt installation file, not the .zip file. 8) Check the "Enable download" and "Enable install" boxes. 9) Specify times to begin the download and install. 10) Click on "Apply". issue Fixes/Enhancements in this release: 1) Security Alerts A) Added option to disable Telnet listener on TCP port 23. Syntax: To display settings use: get listener To change settings use: set listener telnet enable=YES|NO Note: telnet is enabled by default and if no password is set then it will accept anything as a password. 2) Added an Evaluation License Reset function. Call Novell Technical Support and reference internal TID 10090910 for instructions and unlock code. 3) Removed need to do "Apply" after refreshcredentials. 4) Fixed Abend: Page fault abend Proxy.nlm|url_encode+1A. 5) Fixed possible "trap" to debugger when using Mutual Authentication. Trap was at SSLReceiveCaughtUpCheckForFIN: sslReceiveCaughtUp Fixes/Enhancements included from ic22fp3a version 2.2.115: 1) Security Alerts A) Fixed Cross Site Scripting vulnerability. - The "url=" login parameter was vulnerable to XSS. B) Added the ability to enable the secure bit on cookies. - Edit APPSTART.NCF to load PROXY.NLM with the -cs switch. Syntax: load proxy -cs - All accelerators must have secure exchange enabled to utilize this feature. 2) Cannot authenticate to iChain when POST credentials are split between multiple TCP segments. 3) Fix use of Cookie domain in "load balance at session level" ServerID cookie. 4) Now allow the following graphic files to be cached on login pages: .js, .jpg,.jpeg and .png. 5) Additional fixes for issue where secondary IP addresses may disappear after an apply. Also see TID 10090474 for configuration specifics that will help with this issue. 6) Update TCPIP stack to current PUBLIC release: Version 6.07.12 December 19, 2003. 7) Failed login with basic authentication will now redirect user to the iChain login page. 8) Fixed delay in downloading large cached files. 9) Could not authenticate to iChain when POST credentials were split between multiple TCP segments 10) "Return error if host name sent by browser does not match above DNS name." was not working. 11) Updated MESSAGES.CFG with more detailed instructions for editing error messages. 12) Removed 6 unneeded files/file copies from OTWUG 13) Includes updated NPKIT.NLM and NPKIAPI.NLM version 2.72 that enables the capability to turn off Certificate Revocation List checking. Syntax at Command Line Interface (CLI): set authentication ssl mutual disablerevocationchecks = (YES|NO) Fixes/Enhancements included from ic22fp3 (Since IC22SP2): 1) Abend: EIP in PROXY.NLM at code start +0001FE68h. 2) Abend after applying ic22sp2 if authentication tree name began with a "T". 3) Abend in Internal Rewriter (PROXY.NLM at code start +0009EE38). 4) iChain Administration GUI did not properly identify an expired certificate. 5) CPQJNI.NLM should not load on non-compaq servers. 6) iChain was sending two separate connection headers in GET request. 7) Authentication credentials might get passed through OLAC if LDAP server fails after user authenticates. 8) Added reverse logic for the OCSP verify root CA field. 9) Fixed problem where LDAP Authentication would loop when being redirected from secure to non-secure page when Session Broker is enabled; Caused by LDAP timeouts at startup. 10) Removed chkflop call. 11) Fixed issues with secondary IP addresses disappearing. Known Issues: Users coming in through Mutual SSL Authentication may get a certificate error if they try to hit the site while their userid is in the 0 TTL state. During the 0 TTL state a user's session has timed out but there is a maximum 60 second window where the userid is still registered with the IAGENT database. Updated Module List 05/15/2003 10:00a 43 1px_spacer.gif 02/04/2004 05:59p 41,130 acfilter.nlm 02/04/2004 05:56p 149,539 aclcheck.nlm 08/13/2003 02:33p 104 appboot.ncf 08/13/2003 02:34p 611 appcopy.ncf 02/04/2004 06:28p 55,263 appjni.nlm 08/28/2003 04:36p 572 appstart.ncf 06/04/2003 12:25p 2,293 autoexec.ncf 02/04/2004 06:28p 69,894 autovol.nlm 07/28/2003 08:14p 107,403 bsdsock.nlm 05/15/2003 10:00a 354 btnlogin_en.gif 01/11/2002 02:28p 372 btnreset_en.gif 02/04/2004 01:13p 7 buildver.txt 02/04/2004 06:00p 70,503 caconfig.nlm 06/10/2003 06:00p 3,832 calogldp.sim 06/13/2003 12:25a 1,308 calogldp.wml 06/10/2003 06:00p 3,725 caloglfn.sim 06/13/2003 12:24a 1,274 caloglfn.wml 06/10/2003 06:00p 3,655 caloglma.sim 06/13/2003 12:22a 1,266 caloglma.wml 06/10/2003 06:00p 3,704 caloglnc.sim 06/13/2003 12:21a 1,302 caloglnc.wml 06/13/2003 12:20a 3,094 calogout.sim 06/13/2003 12:18a 847 calogout.wml 06/10/2003 06:00p 3,766 calograd.sim 06/13/2003 12:20a 1,414 calograd.wml 02/04/2004 06:04p 8,112 capatch.nlm 10/09/2003 12:52p 133,758 ccs.xlm 02/04/2004 06:28p 434,446 certmaint.jar 02/04/2004 06:28p 1,543,389 client.jar 01/22/2004 08:46a 1,968 command.nas 03/12/2003 09:05a 183,486 dbnet6.nlm 10/09/2003 12:52p 464,166 domxeng.xlm 05/23/2003 02:11p 41 dsoffset.ncf 05/19/2003 05:23p 3,588 edir_h1_ppc.gif 02/04/2004 06:28p 494,369 extend.jar 06/18/2003 01:47p 8,110 factory.nas 11/20/2003 05:12p 4,201,184 iChainAdminGuide.pdf 08/04/2003 02:02p 156 icsinfo.txt 02/04/2004 06:28p 19,634 images.jar 05/27/2003 11:03a 1,692 index.htm 02/04/2004 11:05a 6,039 install.nas 09/24/2003 02:29p 1,077 int.der 06/17/2002 01:58p 14,739 jstcp.old 06/20/2003 05:11a 486,525 lcache.nlm 11/14/2003 06:15a 164,436 ldapsdk.nlm 11/14/2003 06:15a 532,812 ldapssl.nlm 11/14/2003 06:15a 31,964 ldapx.nlm 11/14/2003 06:22a 164,656 lldapsdk.nlm 06/30/2003 01:47p 491,356 logevent.nlm 01/26/2004 12:11p 50,005 messages.cfg 03/18/2003 12:35p 3,023 nbmalert.msg 03/19/2003 12:39p 38,975 nbmalert.nlm 06/06/2002 06:01p 57,709 ncpip.old 10/09/2003 12:52p 57,286 nicisdi.xlm 02/04/2004 06:06p 228,247 nile.nlm 10/09/2003 12:52p 464,166 Novxeng.xlm 01/27/2004 06:06p 296,010 npkiapi.nlm 01/27/2004 05:26p 224,491 npkit.nlm 12/16/2003 09:51a 63,221 nssldp.nlm 12/16/2003 09:51a 32,802 nsss.nlm 04/28/2003 05:34p 788,628 ntls.nlm 07/17/2002 05:04p 458,058 nwconfig.old 02/04/2004 06:28p 39,556 nwimage.nlm 02/04/2004 06:06p 62,226 nwutil.nlm 05/14/2003 12:25p 92,438 oac.jar 06/18/2003 11:09a 210 oac.properties 02/04/2004 06:02p 8,225 Oacint.nlm 02/04/2004 06:06p 6,765 persist.nlm 01/28/2004 10:47a 853,103 pki.nlm 10/22/2003 10:25a 273,260 pkiapi.nlm 10/13/2003 03:36p 105,457 PKTSCAN.NLM 08/01/2003 01:50p 5,113 proxy.msg 02/04/2004 06:14p 1,318,068 proxy.nlm 02/04/2004 06:14p 33,679 proxycfg.nlm 02/04/2004 06:14p 39,257 radchk.nlm 01/13/2003 09:46a 88,156 rdbhost.nlm 11/20/2003 04:11p 62,401 readme.txt 05/23/2003 09:14a 189 RestoreFromClones.NCF 02/04/2004 06:14p 9,868 rewrite.nlm 10/09/2003 12:52p 25,095 sasdfm.xlm 02/04/2004 06:14p 47,319 sb.nlm 02/04/2004 06:28p 428,412 server.jar 02/04/2004 06:28p 19,824 SetSrvIP.nlm 08/13/2003 02:34p 221 slpoff.ncf 08/13/2003 02:35p 221 slpon.ncf 02/04/2004 06:14p 78,271 sso.nlm 09/04/2003 03:21p 876 stop.ncf 09/12/2003 05:33p 745,405 tcp.nlm 12/19/2003 01:06p 562,979 tcpip.nlm 02/13/2002 10:31a 169,124 Toolbox.nlm 05/23/2003 09:15a 186 UpdateClones.NCF 11/20/2003 01:44p 25,703 whatsnew.txt 10/09/2003 12:52p 157,944 xim.xlm 10/09/2003 12:52p 205,691 xmgr.xlm 10/09/2003 12:52p 179,644 xsup.xlm 02/04/2004 06:14p 29,499 zlib.nlm 97 File(s) 18,355,984 bytes contents Self-Extracting File Name: ic22fp3b.exe Files Included Size Date Time Version Checksum \ IC22FP3B.TXT 14185 02-05-2004 03:11PM \ic22fp3b ICHAIN22FP3B.TXT 116 02-05-2004 02:08PM ICHAIN22FP3B.ZIP 11448014 02-05-2004 02:07PM Document Title: iChain 2.2 Field Patch 3b Document ID: 2968107 Creation Date: 05FEB2004 Modified Date: 06FEB2004 Document Revision: 1 Novell Product Class: Connectivity Products Novell Product and Version: iChain Disclaimer The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information. [****** End Novell Bulletin ******] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Novell for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-070: Sun Basic Security Module (BSM) Vulnerability O-071: Debian kernel-patch-2.4.17-mips Interger Overflow O-072: Check Point FireWall-1 HTTP Security Server Vulnerability O-073: Check Point VPN-1 Server and VPN Client Buffer Overflow Vulnerability O-074: Red Hat Cross-site Scripting Vulnerability in Mailman Package O-075: RealPlayer / RealOne Player Buffer Overrun Vulnerabilities O-076: MS Vulnerability in Virtual PC for Mac O-077: MS Vulnerability in the Windows Internet Naming Service (WINS) O-078: Samba - Unauthorized Access to SMB Accounts O-079: SGI - Userland Binary Vulnerabilities