_______________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Novell NetWare Access Rights Vulnerability OCT 14, 1992 0900 PDT Number D-01 ________________________________________________________________________ PROBLEM: A vulnerability has been discovered which may allow any Novell Netware user to obtain unauthorized privileges PLATFORM: PC/MS-DOS with Novell NetWare 3.x, 2.x, and NetWare for UNIX DAMAGE: Compromise of server integrity SOLUTION: Obtain and apply software enhancements available from Novell; prudent NetWare administration ________________________________________________________________________ Critical Facts about the Novell NetWare Access Rights Vulnerability CIAC has learned of a network security threat that allows any Novell user, equipped with a special program, to gain the access rights assignable by any other user currently attached to the server. This vulnerability affects NetWare 3.x, NetWare 2.x, and NetWare for Unix. CIAC recommends that you obtain the Phase I security enhancements as soon as they are available. They are scheduled to be released by Novell by the end of October. NetWare 3.x and 2.x customers will be able to obtain the enhancements via anonymous ftp from ftp.IS.Sandy.Novell.COM (137.65.12.2) as well as via NetWire (Compuserve) and NetWare Express (GE Information Services). NetWare for Unix customers should contact the NetWare for Unix partner who provided them the software. Help is available from the Novell customer information line 1-800-NETWARE. As a general precaution, and as an interim measure until the Phase I patches are released, Novell recommends the following security practices: * Use the NetWare utility "SECURITY" to detect insecure access points to the server. * Require passwords on all accounts. * Force periodic password changes. * Require unique passwords. * Limit access rights and security equivalences. * Limit concurrent connections. * Enforce login time restrictions. * Enforce login station restrictions. * Enable intruder detection. * Secure unattended workstations to avoid unauthorized use. In addition, CIAC recommends that you minimize or eliminate supervisor activity concurrent with non-privileged connections until Phase I is available; and further recommends that you activate all applicable NetWare security features and install the most recent versions of system software, client software, and other patches. Novell informs us that to their knowledge programs to exploit this vulnerability have not yet been found outside laboratories; and the technique used to create the security threat, known as packet spoofing or packet forging, is inherent to all client server architectures that have not taken specific protective actions. CIAC believes that because of the increasing publicity of this technique, the vulnerability could soon be exploited by the hacker/cracker community. CIAC would like to thank Novell for providing the security practices, access information, and general support for our efforts concerning this issue. We would also like to acknowledge the efforts of SURFnet Computer Emergency Response Team CERT-NL for alerting us to this situation. For additional information or assistance, please contact CIAC at (510) 422-8193 / FTS or send e-mail to ciac@llnl.gov. FAX messages to: (510) 423-8002 / FTS. PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Some of the other teams include the NASA NSI response team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your agency's team will coordinate with CIAC. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. ======================================================================