NetIQ eDirectory NDS iMonitor 8.8 SP8 / 8.8 SP7 XSS / Memory Disclosure

Type packetstorm
Reporter Wolfgang Ettlinger
Modified 2014-12-20T00:00:00


                                            `SEC Consult Vulnerability Lab Security Advisory < 20141219-0 >  
title: XSS & Memory Disclosure  
product: NetIQ eDirectory NDS iMonitor  
vulnerable version: 8.8 SP8, 8.8 SP7  
fixed version: 8.8 SP8 HF 4,  
fix available for versions 8.8 SP7 ( HF 4, HF 3)  
CVE number: CVE-2014-5212, CVE-2014-5213  
impact: High  
found: 2014-10-29  
by: W. Ettlinger  
SEC Consult Vulnerability Lab  
Vendor description:  
"eDirectory(TM) is a full-service, secure LDAP directory providing incredible  
scalability and an agile platform to run your organization's identity  
infrastructure and multi-platform network services."  
Business recommendation:  
An attacker without an account on the NetIQ eDirectory NDS iMonitor is able  
to gain administrative access by luring an authenticated administrator to  
visit an attacker-controlled web site. Moreover, an authenticated attacker  
is able to retrieve internal data which potentially contains sensitive  
As the NetIQ eDirectory is often used to maintain a centralized user database  
it is a very attractive target for an attacker. By compromising this system,  
an attacker may be able to conduct further attacks on other systems.  
SEC Consult recommends to immediately conduct a full security review of  
this software, especially if used as a centralized user database.  
Vulnerability overview/description:  
1) Memory Disclosure (CVE-2014-5213)  
Using crafted HTTP requests an administrative user can retrieve parts of the  
virtual memory from the service. This potentially discloses secret data like  
2) Reflected Cross Site Scripting (XSS, CVE-2014-5212)  
A reflected cross site scripting vulnerability was identified. An attacker  
could take over the user account of a valid administrator.  
Proof of concept:  
1) Memory Disclosure (CVE-2014-5213)  
When accessing the following URL as an authenticated user, parts of the virtual  
memory can be retrieved:  
2) Reflected Cross Site Scripting (XSS, CVE-2014-5212)  
The following URL demonstrates a reflected XSS flaw:  
Vulnerable / tested versions:  
The vulnerabilities have been verified to exist in the NetIQ eDirectory NDS  
iMonitor version 8.8 SP8, which was the most recent version at the time of  
Vendor contact timeline:  
2014-10-29: Contacting, sending responsible disclosure  
policy and PGP keys  
2014-10-29: Vendor redirects to, providing PGP keys  
through Novell support page  
2014-10-30: Sending encrypted security advisory to Novell  
2014-10-30: Novell acknowledges the receipt of the advisory  
2014-11-18: Novell: the vulnerabilities have been fixed by development; the  
patches will be release end of November  
2014-12-08: Novell: the release has been pushed to Dec. 8th  
2014-12-09: Novell: the release should be released tomorrow;  
The hotfix for is still pending  
2014-12-17: Verifying release of advisory; asking whether patches have been  
2014-12-18: Novell: Patches have been released  
2014-12-19: Coordinated release of security advisory  
Update to the release or apply fix for versions 8.8 SP 7.  
No workaround available.  
Advisory URL:  
SEC Consult Vulnerability Lab  
SEC Consult  
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich  
Mooslackengasse 17, 1190 Vienna, Austria  
Phone: +43 1 8903043 0  
Fax: +43 1 8903043 15  
Mail: research at sec-consult dot com  
Interested to work with the experts of SEC Consult?  
Write to  
EOF W. Ettlinger / @2014