Info

Disclosure

Mar 17, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Novell NetWare and Novell Open Enterprise Server contains a flaw that may allow a malicious user to force server to negotiate a less secure SSL connection. The issue is triggered because SSL server implementation in NILE.NLM permits encryption with a NULL key, which results in cleartext communication. It is possible that the flaw may allow remote attackers to read an SSL protected session resulting in a loss of confidentiality.

Classification

Location: Remote / Network Access
Attack Type: Cryptographic, Information Disclosure
Impact: Loss of Confidentiality
Exploit: Exploit Unknown
Disclosure: OSVDB Verified

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, vendor has released a patch NILE65SP5A.EXE to address this vulnerability.

Products

Novell, Inc.	Novell NetWare	6.5 SP4
		6.5 SP3
		6.5 SP2
		6.5 SP1
		6.5
		SP1.1(a)
		SP1.1(b)
	Novell Open Enterprise Server	0

References

Security Tracker: 1015799
Bugtraq ID: 17176
Secunia Advisory ID: 19324
CVE ID: 2006-0997 (see also: NVD)
SCIP VulDB ID: 2100
Related OSVDB ID: 24047 24048
ISS X-Force ID: 25380
VUPEN Advisory: ADV-2006-1043
Vendor Specific Advisory URL: http://support.novell.com/cgi-bin/search/searchtid.cgi?10100633.htm
Keyword: TID10100633,NOVL105338

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/24046

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Novell, Inc.

Novell NetWare

Novell Open Enterprise Server

References

Credit