Novell NetWare NILE.NLM cleartext SSL communications

netware-nile-ssl-cleartext (25380) The risk level is classified as LowLow Risk

Description:

Novell Open Enterprise Server (OES) and Novell NetWare could allow cleartext Secure Sockets Layer (SSL) communication over TCP port 443, caused by a vulnerability in NILE.NLM. This would result in a loss of data integrity by allowing remote attackers to use man-in-the-middle techniques to recover sensitive information transmitted over SSL.


Consequences:

Obtain Information

Remedy:

Apply the patch for this vulnerability, as listed in Novell Technical Information Document TID10100633. See References.

References:

  • Novell Technical Information Document TID10100633: SSL Allows the use of Weak Ciphers.
  • BID-17176: Novell SSL Server Multiple Vulnerabilities
  • CVE-2006-0997: The SSL server implementation in NILE.NLM in Novell NetWare 6.5 and Novell Open Enterprise Server (OES) permits encryption with a NULL key, which results in cleartext communication that allows remote attackers to read an SSL protected session by sniffing network traffic.
  • OSVDB ID: 24046: Novell NetWare NILE.NLM SSL Server Cleartext Communication Disclosure
  • SA19324: Novell NetWare NILE.NLM SSL Negotiation Vulnerabilities
  • SECTRACK ID: 1015799: NetWare NILE.NLM May Use a Weak Encryption Algorithm or Cleartext via the SSL Port
  • VUPEN/ADV-2006-1043: Novell NetWare NILE.NLM SSL Negotiation Weak Encryption Vulnerabilities

Platforms Affected:

  • Novell NetWare 6.5
  • Novell Open Enterprise Server

Reported:

Mar 03, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page