NetIQ eDirectory NDS iMonitor 8.8 SP8 / 8.8 SP7 XSS / Memory Disclosure

`SEC Consult Vulnerability Lab Security Advisory < 20141219-0 >  
=======================================================================  
title: XSS & Memory Disclosure  
product: NetIQ eDirectory NDS iMonitor  
vulnerable version: 8.8 SP8, 8.8 SP7  
fixed version: 8.8 SP8 HF 4,  
fix available for versions 8.8 SP7 (8.8.7.4 HF 4,  
8.8.7.6 HF 3)  
CVE number: CVE-2014-5212, CVE-2014-5213  
impact: High  
homepage: https://www.netiq.com/  
found: 2014-10-29  
by: W. Ettlinger  
SEC Consult Vulnerability Lab  
https://www.sec-consult.com  
=======================================================================  
  
Vendor description:  
-----------------------------  
"eDirectory(TM) is a full-service, secure LDAP directory providing incredible  
scalability and an agile platform to run your organization's identity  
infrastructure and multi-platform network services."  
  
URL: https://www.netiq.com/products/edirectory/  
  
  
Business recommendation:  
------------------------  
An attacker without an account on the NetIQ eDirectory NDS iMonitor is able  
to gain administrative access by luring an authenticated administrator to  
visit an attacker-controlled web site. Moreover, an authenticated attacker  
is able to retrieve internal data which potentially contains sensitive  
data.  
  
As the NetIQ eDirectory is often used to maintain a centralized user database  
it is a very attractive target for an attacker. By compromising this system,  
an attacker may be able to conduct further attacks on other systems.  
  
SEC Consult recommends to immediately conduct a full security review of  
this software, especially if used as a centralized user database.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Memory Disclosure (CVE-2014-5213)  
Using crafted HTTP requests an administrative user can retrieve parts of the  
virtual memory from the service. This potentially discloses secret data like  
passwords.  
  
2) Reflected Cross Site Scripting (XSS, CVE-2014-5212)  
A reflected cross site scripting vulnerability was identified. An attacker  
could take over the user account of a valid administrator.  
  
  
Proof of concept:  
-----------------  
1) Memory Disclosure (CVE-2014-5213)  
When accessing the following URL as an authenticated user, parts of the virtual  
memory can be retrieved:  
  
https://<host>:8030/nds/files/opt/novell/eDirectory/lib64/ndsimon/public/images  
  
2) Reflected Cross Site Scripting (XSS, CVE-2014-5212)  
The following URL demonstrates a reflected XSS flaw:  
  
https://<host>:8030/nds/search/data?scope=st&rdn=%3C/script%20%3E%3Cscript%20%3Ealert%28%22XSS%22%29%3C/script%20%3E  
  
  
Vulnerable / tested versions:  
-----------------------------  
The vulnerabilities have been verified to exist in the NetIQ eDirectory NDS  
iMonitor version 8.8 SP8, which was the most recent version at the time of  
discovery.  
  
  
Vendor contact timeline:  
------------------------  
2014-10-29: Contacting [email protected], sending responsible disclosure  
policy and PGP keys  
2014-10-29: Vendor redirects to [email protected], providing PGP keys  
through Novell support page  
2014-10-30: Sending encrypted security advisory to Novell  
2014-10-30: Novell acknowledges the receipt of the advisory  
2014-11-18: Novell: the vulnerabilities have been fixed by development; the  
patches will be release end of November  
2014-12-08: Novell: the release has been pushed to Dec. 8th  
2014-12-09: Novell: the release 8.8.8.4 should be released tomorrow;  
The hotfix for 8.8.7.6 is still pending  
2014-12-17: Verifying release of advisory; asking whether patches have been  
released  
2014-12-18: Novell: Patches have been released  
2014-12-19: Coordinated release of security advisory  
  
  
Solution:  
---------  
Update to the release 8.8.8.4 or apply fix for versions 8.8 SP 7.  
  
  
Workaround:  
-----------  
No workaround available.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich  
  
Headquarter:  
Mooslackengasse 17, 1190 Vienna, Austria  
Phone: +43 1 8903043 0  
Fax: +43 1 8903043 15  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
Interested to work with the experts of SEC Consult?  
Write to [email protected]  
  
EOF W. Ettlinger / @2014  
  
`