{"cve": [{"lastseen": "2016-09-03T20:48:18", "bulletinFamily": "NVD", "description": "nds/files/opt/novell/eDirectory/lib64/ndsimon/public/images in iMonitor in Novell eDirectory before 8.8 SP8 Patch 4 allows remote authenticated users to obtain sensitive information from process memory via a direct request.", "modified": "2015-11-13T11:51:57", "published": "2014-12-19T13:59:01", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5213", "id": "CVE-2014-5213", "title": "CVE-2014-5213", "type": "cve", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-09-03T20:48:17", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in nds/search/data in iMonitor in Novell eDirectory before 8.8 SP8 Patch 4 allows remote attackers to inject arbitrary web script or HTML via the rdn parameter.", "modified": "2015-11-13T11:51:16", "published": "2014-12-19T13:59:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5212", "id": "CVE-2014-5212", "title": "CVE-2014-5212", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:56", "bulletinFamily": "software", "description": "\r\n\r\nSEC Consult Vulnerability Lab Security Advisory < 20141219-0 >\r\n=======================================================================\r\n title: XSS & Memory Disclosure\r\n product: NetIQ eDirectory NDS iMonitor\r\n vulnerable version: 8.8 SP8, 8.8 SP7\r\n fixed version: 8.8 SP8 HF 4,\r\n fix available for versions 8.8 SP7 (8.8.7.4 HF 4,\r\n 8.8.7.6 HF 3)\r\n CVE number: CVE-2014-5212, CVE-2014-5213\r\n impact: High\r\n homepage: https://www.netiq.com/\r\n found: 2014-10-29\r\n by: W. Ettlinger\r\n SEC Consult Vulnerability Lab\r\n https://www.sec-consult.com\r\n=======================================================================\r\n\r\nVendor description:\r\n-----------------------------\r\n"eDirectory(TM) is a full-service, secure LDAP directory providing incredible\r\nscalability and an agile platform to run your organization's identity\r\ninfrastructure and multi-platform network services."\r\n\r\nURL: https://www.netiq.com/products/edirectory/\r\n\r\n\r\nBusiness recommendation:\r\n------------------------\r\nAn attacker without an account on the NetIQ eDirectory NDS iMonitor is able\r\nto gain administrative access by luring an authenticated administrator to\r\nvisit an attacker-controlled web site. Moreover, an authenticated attacker\r\nis able to retrieve internal data which potentially contains sensitive\r\ndata.\r\n\r\nAs the NetIQ eDirectory is often used to maintain a centralized user database\r\nit is a very attractive target for an attacker. By compromising this system,\r\nan attacker may be able to conduct further attacks on other systems.\r\n\r\nSEC Consult recommends to immediately conduct a full security review of\r\nthis software, especially if used as a centralized user database.\r\n\r\n\r\nVulnerability overview/description:\r\n-----------------------------------\r\n1) Memory Disclosure (CVE-2014-5213)\r\nUsing crafted HTTP requests an administrative user can retrieve parts of the\r\nvirtual memory from the service. This potentially discloses secret data like\r\npasswords.\r\n\r\n2) Reflected Cross Site Scripting (XSS, CVE-2014-5212)\r\nA reflected cross site scripting vulnerability was identified. An attacker\r\ncould take over the user account of a valid administrator.\r\n\r\n\r\nProof of concept:\r\n-----------------\r\n1) Memory Disclosure (CVE-2014-5213)\r\nWhen accessing the following URL as an authenticated user, parts of the virtual\r\nmemory can be retrieved:\r\n\r\nhttps://<host>:8030/nds/files/opt/novell/eDirectory/lib64/ndsimon/public/images\r\n\r\n2) Reflected Cross Site Scripting (XSS, CVE-2014-5212)\r\nThe following URL demonstrates a reflected XSS flaw:\r\n\r\nhttps://<host>:8030/nds/search/data?scope=st&rdn=%3C/script%20%3E%3Cscript%20%3Ealert%28%22XSS%22%29%3C/script%20%3E\r\n\r\n\r\nVulnerable / tested versions:\r\n-----------------------------\r\nThe vulnerabilities have been verified to exist in the NetIQ eDirectory NDS\r\niMonitor version 8.8 SP8, which was the most recent version at the time of\r\ndiscovery.\r\n\r\n\r\nVendor contact timeline:\r\n------------------------\r\n2014-10-29: Contacting security@netiq.com, sending responsible disclosure\r\n policy and PGP keys\r\n2014-10-29: Vendor redirects to security@novell.com, providing PGP keys\r\n through Novell support page\r\n2014-10-30: Sending encrypted security advisory to Novell\r\n2014-10-30: Novell acknowledges the receipt of the advisory\r\n2014-11-18: Novell: the vulnerabilities have been fixed by development; the\r\n patches will be release end of November\r\n2014-12-08: Novell: the release has been pushed to Dec. 8th\r\n2014-12-09: Novell: the release 8.8.8.4 should be released tomorrow;\r\n The hotfix for 8.8.7.6 is still pending\r\n2014-12-17: Verifying release of advisory; asking whether patches have been\r\n released\r\n2014-12-18: Novell: Patches have been released\r\n2014-12-19: Coordinated release of security advisory\r\n\r\n\r\nSolution:\r\n---------\r\nUpdate to the release 8.8.8.4 or apply fix for versions 8.8 SP 7.\r\n\r\n\r\nWorkaround:\r\n-----------\r\nNo workaround available.\r\n\r\n\r\nAdvisory URL:\r\n-------------\r\nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm\r\n\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nSEC Consult Vulnerability Lab\r\n\r\nSEC Consult\r\nVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich\r\n\r\nHeadquarter:\r\nMooslackengasse 17, 1190 Vienna, Austria\r\nPhone: +43 1 8903043 0\r\nFax: +43 1 8903043 15\r\n\r\nMail: research at sec-consult dot com\r\nWeb: https://www.sec-consult.com\r\nBlog: http://blog.sec-consult.com\r\nTwitter: https://twitter.com/sec_consult\r\n\r\nInterested to work with the experts of SEC Consult?\r\nWrite to career@sec-consult.com\r\n\r\nEOF W. Ettlinger / @2014\r\n\r\n", "modified": "2014-12-22T00:00:00", "published": "2014-12-22T00:00:00", "id": "SECURITYVULNS:DOC:31509", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31509", "title": "SEC Consult SA-20141219-0 :: XSS & Memory Disclosure vulnerabilities in NetIQ eDirectory NDS iMonitor", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:21:41", "bulletinFamily": "exploit", "description": "", "modified": "2014-12-20T00:00:00", "published": "2014-12-20T00:00:00", "href": "https://packetstormsecurity.com/files/129670/NetIQ-eDirectory-NDS-iMonitor-8.8-SP8-8.8-SP7-XSS-Memory-Disclosure.html", "id": "PACKETSTORM:129670", "type": "packetstorm", "title": "NetIQ eDirectory NDS iMonitor 8.8 SP8 / 8.8 SP7 XSS / Memory Disclosure", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20141219-0 > \n======================================================================= \ntitle: XSS & Memory Disclosure \nproduct: NetIQ eDirectory NDS iMonitor \nvulnerable version: 8.8 SP8, 8.8 SP7 \nfixed version: 8.8 SP8 HF 4, \nfix available for versions 8.8 SP7 (8.8.7.4 HF 4, \n8.8.7.6 HF 3) \nCVE number: CVE-2014-5212, CVE-2014-5213 \nimpact: High \nhomepage: https://www.netiq.com/ \nfound: 2014-10-29 \nby: W. Ettlinger \nSEC Consult Vulnerability Lab \nhttps://www.sec-consult.com \n======================================================================= \n \nVendor description: \n----------------------------- \n\"eDirectory(TM) is a full-service, secure LDAP directory providing incredible \nscalability and an agile platform to run your organization's identity \ninfrastructure and multi-platform network services.\" \n \nURL: https://www.netiq.com/products/edirectory/ \n \n \nBusiness recommendation: \n------------------------ \nAn attacker without an account on the NetIQ eDirectory NDS iMonitor is able \nto gain administrative access by luring an authenticated administrator to \nvisit an attacker-controlled web site. Moreover, an authenticated attacker \nis able to retrieve internal data which potentially contains sensitive \ndata. \n \nAs the NetIQ eDirectory is often used to maintain a centralized user database \nit is a very attractive target for an attacker. By compromising this system, \nan attacker may be able to conduct further attacks on other systems. \n \nSEC Consult recommends to immediately conduct a full security review of \nthis software, especially if used as a centralized user database. \n \n \nVulnerability overview/description: \n----------------------------------- \n1) Memory Disclosure (CVE-2014-5213) \nUsing crafted HTTP requests an administrative user can retrieve parts of the \nvirtual memory from the service. This potentially discloses secret data like \npasswords. \n \n2) Reflected Cross Site Scripting (XSS, CVE-2014-5212) \nA reflected cross site scripting vulnerability was identified. An attacker \ncould take over the user account of a valid administrator. \n \n \nProof of concept: \n----------------- \n1) Memory Disclosure (CVE-2014-5213) \nWhen accessing the following URL as an authenticated user, parts of the virtual \nmemory can be retrieved: \n \nhttps://<host>:8030/nds/files/opt/novell/eDirectory/lib64/ndsimon/public/images \n \n2) Reflected Cross Site Scripting (XSS, CVE-2014-5212) \nThe following URL demonstrates a reflected XSS flaw: \n \nhttps://<host>:8030/nds/search/data?scope=st&rdn=%3C/script%20%3E%3Cscript%20%3Ealert%28%22XSS%22%29%3C/script%20%3E \n \n \nVulnerable / tested versions: \n----------------------------- \nThe vulnerabilities have been verified to exist in the NetIQ eDirectory NDS \niMonitor version 8.8 SP8, which was the most recent version at the time of \ndiscovery. \n \n \nVendor contact timeline: \n------------------------ \n2014-10-29: Contacting security@netiq.com, sending responsible disclosure \npolicy and PGP keys \n2014-10-29: Vendor redirects to security@novell.com, providing PGP keys \nthrough Novell support page \n2014-10-30: Sending encrypted security advisory to Novell \n2014-10-30: Novell acknowledges the receipt of the advisory \n2014-11-18: Novell: the vulnerabilities have been fixed by development; the \npatches will be release end of November \n2014-12-08: Novell: the release has been pushed to Dec. 8th \n2014-12-09: Novell: the release 8.8.8.4 should be released tomorrow; \nThe hotfix for 8.8.7.6 is still pending \n2014-12-17: Verifying release of advisory; asking whether patches have been \nreleased \n2014-12-18: Novell: Patches have been released \n2014-12-19: Coordinated release of security advisory \n \n \nSolution: \n--------- \nUpdate to the release 8.8.8.4 or apply fix for versions 8.8 SP 7. \n \n \nWorkaround: \n----------- \nNo workaround available. \n \n \nAdvisory URL: \n------------- \nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nSEC Consult Vulnerability Lab \n \nSEC Consult \nVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich \n \nHeadquarter: \nMooslackengasse 17, 1190 Vienna, Austria \nPhone: +43 1 8903043 0 \nFax: +43 1 8903043 15 \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nInterested to work with the experts of SEC Consult? \nWrite to career@sec-consult.com \n \nEOF W. Ettlinger / @2014 \n \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/129670/SA-20141219-0.txt"}], "openvas": [{"lastseen": "2018-10-22T16:39:17", "bulletinFamily": "scanner", "description": "This host is installed with Novell eDirectory\n and is prone to multiple vulnerabilities.", "modified": "2018-10-19T00:00:00", "published": "2015-02-06T00:00:00", "id": "OPENVAS:1361412562310805269", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805269", "title": "Novell eDirectory iMonitor Multiple Vulnerabilities - Feb15", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_novell_edirectory_mult_vuln_feb15.nasl 11975 2018-10-19 06:54:12Z cfischer $\n#\n# Novell eDirectory iMonitor Multiple Vulnerabilities - Feb15\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805269\");\n script_version(\"$Revision: 11975 $\");\n script_cve_id(\"CVE-2014-5212\", \"CVE-2014-5213\");\n script_bugtraq_id(71741, 71748);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-19 08:54:12 +0200 (Fri, 19 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-02-06 12:01:38 +0530 (Fri, 06 Feb 2015)\");\n script_name(\"Novell eDirectory iMonitor Multiple Vulnerabilities - Feb15\");\n script_tag(name:\"summary\", value:\"This host is installed with Novell eDirectory\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple errors exists due to,\n\n - Improper sanitization by the /nds/search/data script when input is passed\n via the 'rdn' parameter.\n\n - An error in the /nds/files/opt/novell/eDirectory/lib64/ndsimon/public/images.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to execute arbitrary script code in a user's browser session within the trust\n relationship between their browser and the server, and disclose virtual memory\n including passwords.\");\n\n script_tag(name:\"affected\", value:\"Novell eDirectory versions prior to 8.8 SP8\n Patch 4\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Novell eDirectory version 8.8 SP8\n Patch 4 or later.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_xref(name:\"URL\", value:\"http://www.securitytracker.com/id/1031408\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/534284\");\n script_xref(name:\"URL\", value:\"https://www.novell.com/support/kb/doc.php?id=3426981\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"novell_edirectory_detect.nasl\");\n script_mandatory_keys(\"eDirectory/installed\");\n script_require_ports(\"Services/ldap\", 389, 636);\n script_xref(name:\"URL\", value:\"https://www.netiq.com\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nCPE = make_list( \"cpe:/a:novell:edirectory\",\"cpe:/a:netiq:edirectory\" );\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! major = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( ! sp = get_kb_item( \"ldap/eDirectory/\" + port + \"/sp\" ) )\n sp = \"0\";\n\ninstvers = major;\n\nif( sp > 0 )\n instvers += ' SP' + sp;\n\nrevision = get_kb_item( \"ldap/eDirectory/\" + port + \"/build\" );\nrevision = str_replace( string:revision, find:\".\", replace:\"\" );\n\nif( major <= \"8.8\" && sp <= \"8\" && revision <= \"2080404\" )\n{\n report = 'Installed version: ' + instvers + '\\n' +\n 'Fixed version: 8.8 SP8 Patch4\\n';\n security_message(data:report, port:port);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}
