Novel Netware Allows Login Access With No Passwords
SecurityTracker Alert ID: 1001070|
SecurityTracker URL: http://securitytracker.com/id/1001070
(Links to External Site)
Date: Mar 12 2001
User access via network|
Version(s): Netware 3.1-5.1|
A vulnerability has been reported in the default configuration of Novell Netware that allows login access with no passwords.|
An unauthorized user can log into a Novell Netware network by using a Print Server as the username. Under a default configuration, Novell Print Servers have blank passwords. If a password is assigned, Novell Print Servers do not have intruder detection capability as a user account would, so the Print Server accounts are vulnerable to a brute force password guessing attack without risk of account lockout. When a Print Server is logged into as a User, the account will have the same rights as are assigned to the container that it resides in.
The vendor was notified on November 2, 2000 but had not responded at the time of the report.
The information in the original report was supplied by Chris Hughes firstname.lastname@example.org.
An attacker can log into a Netware network using a Print Server account and obtain the rights of the container that the Print Server resides in.|
No solution was available at the time of this entry.|
Vendor URL: www.novell.com (Links to External Site)
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: Vulnerability in Novell Netware|
The information in this advisory was supplied by Chris Hughes <email@example.com>.
This security advisory is not endorsed by Security-Focus.com.
Vulnerability in Novell Netware
Date Published: 03/08/01
Advisory ID: n/a
Bugtraq ID: 2446
CVE CAN: None currently assigned.
Title: Novell Netware Print Server Vulnerability
Class: Configuration Error
Remotely Exploitable: Yes
Locally Exploitable: Yes
Vulnerability Description: Novell Netware allows a user to log into a
Novell Network by using a Printer Server as the username. By default,
Novell Print Servers have blank passwords. In addition, Novell Print
Servers do not have intruder detection capability as a user account would,
so they are vulnerable to a brute force attack without risk of account
lockout. When a Print Server is logged into as a User, the account will
have the same rights as are assigned to the container that it resides in.
Vulnerable Packages/Systems: Novell Netware 3.1-5.1
Solution/Vendor Information/Workaround: Vendor has not responded yet.
Vendor notified on: 11/02/00
Credits: Discovered by Chris Hughes <firstname.lastname@example.org>
This advisory was drafted with the help of the SecurityFocus.com
Vulnerability Help Team. For more information or assistance drafting
advisories please mail email@example.com.
Vulnerability Help Team