XSS & Memory Disclosure

SEC Consult Vulnerability Lab Security Advisory < 20141219-0 >


title: XSS & Memory Disclosure

product: NetIQ eDirectory NDS iMonitor

vulnerable version: 8.8 SP8, 8.8 SP7

fixed version: 8.8 SP8 HF 4,

fix available for versions 8.8 SP7 ( HF 4, HF 3)

CVE number: CVE-2014-5212, CVE-2014-5213

impact: High

homepage: www.netiq.com

found: 2014-10-29

by: W. Ettlinger

SEC Consult Vulnerability Lab




Vendor description:


"eDirectory(TM) is a full-service, secure LDAP directory providing incredible

scalability and an agile platform to run your organization's identity

infrastructure and multi-platform network services."


URL: www.netiq.com/products/edirectory/



Business recommendation:


An attacker without an account on the NetIQ eDirectory NDS iMonitor is able

to gain administrative access by luring an authenticated administrator to

visit an attacker-controlled web site. Moreover, an authenticated attacker

is able to retrieve internal data which potentially contains sensitive



As the NetIQ eDirectory is often used to maintain a centralized user database

it is a very attractive target for an attacker. By compromising this system,

an attacker may be able to conduct further attacks on other systems.


SEC Consult recommends to immediately conduct a full security review of

this software, especially if used as a centralized user database.



Vulnerability overview/description:


1) Memory Disclosure (CVE-2014-5213)

Using crafted HTTP requests an administrative user can retrieve parts of the

virtual memory from the service. This potentially discloses secret data like



2) Reflected Cross Site Scripting (XSS, CVE-2014-5212)

A reflected cross site scripting vulnerability was identified. An attacker

could take over the user account of a valid administrator.



Proof of concept:


1) Memory Disclosure (CVE-2014-5213)

When accessing the following URL as an authenticated user, parts of the virtual

memory can be retrieved:

https:// <host>:8030/nds/files/opt/novell/eDirectory/lib64/ndsimon/public/images


2) Reflected Cross Site Scripting (XSS, CVE-2014-5212)

The following URL demonstrates a reflected XSS flaw:

https:// <host>:8030/nds/search/data scope=st&rdn=%3C/script%20%3E%3Cscript%20%3Ealert%28%22XSS%22%29%3C/script%20%3E



Vulnerable / tested versions:


The vulnerabilities have been verified to exist in the NetIQ eDirectory NDS

iMonitor version 8.8 SP8, which was the most recent version at the time of




Vendor contact timeline:


2014-10-29: Contacting security@netiq.com, sending responsible disclosure

policy and PGP keys

2014-10-29: Vendor redirects to security@novell.com, providing PGP keys

through Novell support page

2014-10-30: Sending encrypted security advisory to Novell

2014-10-30: Novell acknowledges the receipt of the advisory

2014-11-18: Novell: the vulnerabilities have been fixed by development; the

patches will be release end of November

2014-12-08: Novell: the release has been pushed to Dec. 8th

2014-12-09: Novell: the release should be released tomorrow;

The hotfix for is still pending

2014-12-17: Verifying release of advisory; asking whether patches have been


2014-12-18: Novell: Patches have been released

2014-12-19: Coordinated release of security advisory





Update to the release or apply fix for versions 8.8 SP 7.





No workaround available.



Advisory URL:






SEC Consult Vulnerability Lab


SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich



Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15


Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult


Interested to work with the experts of SEC Consult?

Write to career@sec-consult.com


EOF W. Ettlinger / @2014