Novell File Reporter Agent VOL Tag Remote Code Execution (uncredentialed check)

Critical Nessus Plugin ID 62027

Synopsis

The remote host is running a service that is affected by a remote code execution vulnerability.

Description

The version of Novell File Reporter (NFR) Agent running on the remote host is affected by a remote code execution vulnerability due to a buffer overflow condition. The specific flaw exists within NFRAgent.exe, which listens on default TCP port 3037 over HTTPS. When parsing tags inside the VOL element, the process performs insufficient bounds checking on user supplied data prior to copying it into a fixed-length buffer on the stack.

An unauthenticated, remote attacker, accessing the service, can exploit this vulnerability to corrupt the process thread's stack, possibly resulting in arbitrary code execution under the context of a privileged account.

Note that only the NFR Agent running on a Windows OS is affected.

Solution

There is currently no patch for this vulnerability. One mitigation strategy is to restrict interaction with the service to trusted machines. Only the hosts that have a legitimate procedural relationship with the Novell File Reporter Agent should be permitted to communicate with it. This can be accomplished with firewall rules.

See Also

http://www.tenable.com/security/research/tra-2012-18

http://www.zerodayinitiative.com/advisories/ZDI-12-167/

http://seclists.org/bugtraq/2012/Aug/192

Plugin Details

Severity: Critical

ID: 62027

File Name: novell_file_reporter_agent_zdi-12-167.nbin

Version: $Revision: 1.36 $

Type: remote

Published: 2012/09/10

Modified: 2018/06/15

Dependencies: 62026, 11936

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 8.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:U/RC:ND

Vulnerability Information

CPE: cpe:/a:novell:file_reporter

Exploit Available: false

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 2012/08/29

Reference Information

BID: 55268

TRA: TRA-2012-18