Source: cve@mitre.org
Novell NetWare 5.1 installs sample applications that allow remote attackers to obtain sensitive information via (1) ndsobj.nlm, (2) allfield.jse, (3) websinfo.bas, (4) ndslogin.pl, (5) volscgi.pl, (6) lancgi.pl, (7) test.jse, or (8) env.pl.
Novell NetWare 5.1 servers are vulnerable to remote information disclosure due to the installation of sample applications. Attackers can leverage these applications to extract sensitive data, including user credentials and system configuration, potentially leading to complete system compromise.
Step 1: Reconnaissance: The attacker identifies a vulnerable NetWare 5.1 server, likely through port scanning (e.g., port 80, 443) and banner grabbing to identify the operating system and installed services.
Step 2: Vulnerability Identification: The attacker identifies the presence of the vulnerable sample applications by accessing their known URLs (e.g., /ndsobj.nlm, /allfield.jse).
Step 3: Information Gathering: The attacker crafts specific HTTP requests or NLM commands to the vulnerable applications. These requests are designed to trigger the applications to expose sensitive information.
Step 4: Data Extraction: The vulnerable applications, due to their lack of security controls, execute the attacker's requests and return sensitive information, such as user names, passwords, network configuration, and directory service details, in the response.
Step 5: Privilege Escalation (Potential): The attacker uses the gathered information to further compromise the system, potentially gaining unauthorized access to other resources or escalating privileges.
The vulnerability stems from the inclusion of several sample applications with NetWare 5.1 that lack proper access controls and input validation. These applications, written in various scripting languages and NetWare Loadable Modules (NLMs), expose sensitive information such as directory service object details, environment variables, and network configuration. The root cause is a failure to sanitize user-supplied input or restrict access to these applications, allowing attackers to directly query and retrieve sensitive data. For example, ndsobj.nlm likely directly queries the Novell Directory Services (NDS) without authentication, and the CGI scripts (volscgi.pl, lancgi.pl, ndslogin.pl) likely expose sensitive information through improper handling of HTTP requests.
Due to the age of the vulnerability and the potential for significant impact, it's reasonable to assume that various threat actors, including those with unsophisticated skillsets, could exploit this. While no specific APTs are directly linked to this CVE, the nature of the vulnerability makes it attractive to any attacker seeking initial access or information gathering. This vulnerability is not listed on the CISA KEV.
Monitor HTTP traffic for requests to the known vulnerable application URLs (e.g., /ndsobj.nlm, /allfield.jse, /websinfo.bas, /ndslogin.pl, /volscgi.pl, /lancgi.pl, /test.jse, /env.pl).
Analyze web server logs for suspicious activity, such as repeated requests to these URLs or unusual query parameters.
Monitor NetWare server logs for errors or unusual activity related to the execution of NLMs or CGI scripts.
Implement file integrity monitoring to detect any unauthorized changes to the vulnerable application files.
Network Intrusion Detection Systems (NIDS) should be configured to detect known exploitation patterns, such as specific HTTP requests or command sequences.
Endpoint Detection and Response (EDR) solutions can be used to monitor for suspicious process execution or file modifications on the NetWare server.
Upgrade: Upgrade to a supported version of NetWare that is not vulnerable. This is the most effective remediation.
Remove Vulnerable Applications: If upgrading is not immediately possible, remove the sample applications or disable their functionality. This includes deleting the files or modifying the web server configuration to prevent access.
Implement Access Controls: Restrict access to the NetWare server and its services. This includes using strong passwords, enabling two-factor authentication, and limiting network access.
Patching: Apply all available security patches for the NetWare operating system and any related software.
Network Segmentation: Isolate the NetWare server from other critical network segments to limit the impact of a successful compromise.
Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities.
Implement Web Application Firewall (WAF): If possible, deploy a WAF to filter malicious HTTP requests.