|CERT-In Vulnerability Note
Novell iChain Exception Failure Denial of Service Vulnerability
Original Issue Date:October 28, 2003
Severity Rating: MEDIUM
Novell iChain Server 2.2 SP1 Novell iChain Server 2.2 FP1a Novell iChain Server 2.2 FP1 Novell iChain Server 2.2
There is a vulnerability in Novell iChain service, this occurs due to the inability of iChain to handle a specific exceptional condition and arises because of a retrieve request by WGET on a directory that has no files. This vulnerability may cause a denial of service.
WGET causes an iChain abend. The abend occurs when WGET issues a RETR on a directory where no files exist.
A key component of the Novell Nsure secure identity management solution, iChain controls access to application, web and network resources across all boundaries. As iChain is built upon Novell eDirectory, access control lists ACLs are used to provide a reliable security foundation. In addition to ACLs, iChain enhances network security by supporting several types of authentication methods, including smart card, username/password and token authentication.
A vulnerability has been identified in iChain, which can be exploited remotely by an attacker to cause DoS Denial of Service on a vulnerable system and potentially compromise it. The problem is due to the inability of iChain to handle a specific exceptional condition and arises because of a retrieve request by WGET on a directory that has no files.
This vulnerability can be mitigated by creating a dummy file small text file in each of the following directories:
Apply appropriate patch as given under
iChain Server 2.2 SP1:
iChain Server 2.2 FP1a:
iChain Server 2.2 FP1:
iChain Server 2.2:
Novell has released iChain Support Pack 2 Beta 2 to address this issue, refer TID2967231 for further information.
Novell Technical Information Document. - iChain - TID10086051
The information provided herein is on "as is" basis, without warranty of any kind.
Email: email@example.com Phone: +91-11-2436857
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003