COMMAND

    Navision Financials

SYSTEMS AFFECTED

    Navision Financials Server v2.50, 2.60

PROBLEM

    Following is based on a Defcom Labs Advisory def-2001-17 by  Peter
    Grundl.   The  Navision  Financials  Server  contains  a flaw that
    allows an attacker to crash the service.

    Sending a  null character  followed by  approx. 30k  of A's to TCP
    port  2407  causes  a  buffer  overflow and terminates the process
    (SERVER.EXE).  The overflow does not appear to be exploitable.

    A smaller  amount can  also be  used, and  will silently  kill the
    process.   This requires  approx. 10  connections starting  with a
    null character, followed by 100+ characters.

    According to David Hayes another reason to limit access to port
    2407  on  your  Navision  servers   is  that  the  server   limits
    connections  to  however  many  licensed  sessions  you own, and a
    connection with  no username/password  counts against  this limit.
    Thus,  a  simple  DoS  involves  merely  firing  up  the  Navision
    Financials  client  numerous  times,  and  doing FILE -> SERVER ->
    CONNECT -> YourNavisionServer  on each client  instance.  (Or,  if
    your shortcut specifies the name  of the server in it,  you merely
    have to accidentally fire off  this shortcut several times.   This
    is what users often do.)  This will quickly run you out  licenses,
    and  legitimate  users  will  be  locked  out  with a 'no licenses
    available' message.

    This DoS works  (far too regularly...)  on version 2.0  of the AIX
    version of Navision  Financials.  This  version is sorta  old, and
    we don't know if newer versions behave the same.

SOLUTION

    Disallow  access  to  TCP  port  2407  from untrusted systems, and
    contact Navision-Damgaard  Support to  obtain the  patch for  this
    problem:

        http://www.navision.com/com/view.asp?documentID=258

    The issue  was brought  to the  vendors attention  on the  21st of
    December, 2000.  A patch was  created by the vendor on the  5th of
    March, 2001.