Novell eDirectory NMAS Password Challenge Bypass

2005-07-28T09:16:17
ID OSVDB:18341
Type osvdb
Reporter OSVDB
Modified 2005-07-28T09:16:17

Description

Vulnerability Description

eDirectory NMAS (Novell Modular Authentication Service) contains a flaw in the Fogotten Password portal that may lead to an unauthorized password modification. It is possible to modify an arbitrary user's password without answering the challenge question(s), which may lead to a loss of integrity.

Solution Description

Upgrade to version 2.3.8 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

eDirectory NMAS (Novell Modular Authentication Service) contains a flaw in the Fogotten Password portal that may lead to an unauthorized password modification. It is possible to modify an arbitrary user's password without answering the challenge question(s), which may lead to a loss of integrity.

References:

Vendor Specific Advisory URL Security Tracker: 1014595 Secunia Advisory ID:16267 Bugtraq ID: 14419