ISS X-Force Database: netware-nile-weak-encryption(25381): Novell NetWare NILE.NLM SSL weak encryption

Novell NetWare NILE.NLM SSL weak encryption

netware-nile-weak-encryption (25381)

Low Risk

Description:

Novell Open Enterprise Server (OES) and Novell NetWare supports weak ciphers and encryption algorithms for Secure Sockets Layer (SSL) handshakes, caused by a vulnerability in NILE.NLM. This would result in a loss of data integrity by allowing remote attackers to use man-in-the-middle techniques to recover sensitive information transmitted over SSL.

Note: This issue also affects the LDAPS module in Novell eDirectory, which uses port 636 for SSL communication.

Consequences:

Obtain Information

Remedy:

For Novell Open Enterprise Server and Novell NetWare:
Apply the patch for this vulnerability, as listed in Novell Technical Information Document TID10100633. See References.

For Novell eDirectory:
Refer to Novell Technical Information Document TID10100858 for patch or upgrade information. See References.

References:

Novell Technical Information Document TID10100633: SSL Allows the use of Weak Ciphers.
Novell Technical Information Document TID10100858: SSL allows the use of weak ciphers - LDAPS.
BID-17176: Novell SSL Server Multiple Vulnerabilities
CVE-2006-0998: The SSL server implementation in NILE.NLM in Novell NetWare 6.5 and Novell Open Enterprise Server (OES) sometimes selects a weak cipher instead of an available stronger cipher, which makes it easier for remote attackers to sniff and decrypt an SSL protected session.
OSVDB ID: 24047: Novell NetWare NILE.NLM SSL Server Unspecified Weak Encryption Support
SA19324: Novell NetWare NILE.NLM SSL Negotiation Vulnerabilities
SECTRACK ID: 1015799: NetWare NILE.NLM May Use a Weak Encryption Algorithm or Cleartext via the SSL Port
VUPEN/ADV-2006-1043: Novell NetWare NILE.NLM SSL Negotiation Weak Encryption Vulnerabilities

Platforms Affected:

Novell NetWare 6.5 SP1.1a
Novell NetWare 6.5 SP1.1b
Novell NetWare 6.5 SP1
Novell NetWare 6.5 SP4
Novell NetWare 6.5
Novell NetWare 6.5 SP2
Novell NetWare 6.5 SP3
Novell Open Enterprise Server

Reported:

Mar 03, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page