Waltham, Mass.-based Novell Inc. has issued a bulletin to remedy a moderately critical security vulnerability in eDirectory. Unless fixed, the unspecified vulnerability could be exploited by a local user to cause a denial of service and possible unauthorized system access in the target system.
Novell eDirectory is an LDAP directory service, used for identity-management deployments and multiplatform network services. The current flaw occurs in eDirectory's iMonitor component, which provides Web-based cross-platform monitoring and diagnostic capabilities.
The issue occurs because of the possibility of forcing a buffer overflow in an unspecified part of iMonitor processing, which could cause a denial of service. Because eDirectory is an LDAP directory service, a denial-of-service attack could cause more widespread security issues, including the possibility of unauthorized system access.
Version 2.4 of iMonitor, which ships with eDirectory version 8.8, is known to be vulnerable. Novell has provided a patch for this vulnerability on Windows, UNIX, and NetWare systems.
It is unclear whether the current vulnerability may be related to a security flaw in iMonitor previously reported by Danish vulnerability clearinghouse Secunia. In August 2005, another buffer overflow problem in iMonitor allowed execution of arbitrary code with system privileges. Again, unauthorized system access was a possible secondary effect of the vulnerability. Also in 2005, Novell reported unrelated eDirectory vulnerabilities with remote denial of service and the possibility of bypassing passwords.
Edmund X. DeJesus is a freelance writer in Norwood, Mass.