ISS X-Force Database: netware-nile-forced-weak-encryption(25382): Novell NetWare NILE.NLM forced SSL weak encryption

Novell NetWare NILE.NLM forced SSL weak encryption

netware-nile-forced-weak-encryption (25382)

Low Risk

Description:

Novell Open Enterprise Server (OES) and Novell NetWare could be forced to use weak encryption for SSL communications, caused by a vulnerability in NILE.NLM. This would result in a loss of data integrity by allowing remote attackers to use man-in-the-middle techniques to recover sensitive information transmitted over SSL.

Note: This issue also affects the LDAPS module in Novell eDirectory, which uses port 636 for SSL communication.

Platforms Affected:

Novell, NetWare 6.5 SP1.1a
Novell, NetWare 6.5 SP1.1b
Novell, NetWare 6.5 SP1
Novell, NetWare 6.5 SP4
Novell, NetWare 6.5
Novell, NetWare 6.5 SP2
Novell, NetWare 6.5 SP3
Novell, Open Enterprise Server

Remedy:

For Novell Open Enterprise Server and Novell NetWare:
Apply the patch for this vulnerability, as listed in Novell Technical Information Document TID10100633. See References.

For Novell eDirectory:
Refer to Novell Technical Information Document TID10100858 for patch or upgrade information. See References.

Consequences:

Obtain Information

References:

Novell Technical Information Document TID10100633, SSL Allows the use of Weak Ciphers at http://support.novell.com/cgi-bin/search/searchtid.cgi?10100633.htm.
Novell Technical Information Document TID10100858, SSL allows the use of weak ciphers - LDAPS at http://support.novell.com/cgi-bin/search/searchtid.cgi?10100858.htm.
BID-17176: Novell SSL Server Multiple Vulnerabilities
CVE-2006-0999: The SSL server implementation in NILE.NLM in Novell NetWare 6.5 and Novell Open Enterprise Server (OES) allows a client to force the server to use weak encryption by stating that a weak cipher is required for client compatibility, which might allow remote attackers to decrypt contents of an SSL protected session.
OSVDB ID: 24048: Novell NetWare NILE.NLM SSL Server Encryption Downgrade Weakness
SA19324: Novell NetWare NILE.NLM SSL Negotiation Vulnerabilities
SECTRACK ID: 1015799: NetWare NILE.NLM May Use a Weak Encryption Algorithm or Cleartext via the SSL Port
VUPEN/ADV-2006-1043: Novell NetWare NILE.NLM SSL Negotiation Weak Encryption Vulnerabilities

Reported:

Mar 03, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page