COMMAND

    Novell

SYSTEMS AFFECTED

    Novell Netware 4.x

PROBLEM

    Simple Nomad posted following.  On July 15, 1998 the Nomad  Mobile
    Research Centre released the DOS version of Pandora v3.0, a set of
    Novell  Netware  4.x  attack  tools.  These tools will provide the
    following functions:

        - User  and password  hash extraction  from Netware  Directory
          Services (NDS).
        - Brute force and dictionary attacking of the password hashes.
        - Client-based attacks.
        - The Pandora Toolkit API, including documentation.
        - Full source code.
        - Packet Signature defeating and bypassing.

    This last element  is probably the  most interesting, as  Novell's
    Packet Signature  has been  around for  around seven  years.   New
    techniques developed by NMRC  allow exploitation of weaknesses  in
    the packet signing scheme, and in some cases allow packet  signing
    to  be  completely  bypassed.   This  has SERIOUS ramifications in
    every shop running a modern Netware server, including the  current
    shipping version 4.11.  Some of the client attack tools even  work
    with Netware 5 betas 2 and 3.  The main exploit NMRC came up  with
    was a  series of  IPX spoofing  techniques that  allow a client to
    gain Admin  privileges on  a Netware  server even  if the  highest
    level of Packet Signature has been set.

    A  white  paper  entitled  "NCP:  Netware  Cries Pandora" has been
    released and is  included with Pandora.   The white paper  is also
    online at the NMRC  web site.  This  white paper explains some  of
    these new  exploits, how  they work,  and what  to do  to try  and
    secure a Netware system.

    Still  under  development  are  Linux  versions  that  use the IPX
    connectivity  tools  available  for  Linux,  and a GUI for Windows
    95/NT and  X to  simplify usage.  These tools  are expected  to be
    released within the next few weeks.

    The Pandora homepage is located at:

        http://www.nmrc.org/pandora/

SOLUTION

    Novell  has  responded  to  the  hacks  NMRC has developed against
    Netware 4.x and  NDS.  Apparently  the attacks that  breach Packet
    Signature work, even against  recently patched Netware systems  if
    the  SET  PACKET  SIGNATURE  LEVEL=3  line  in the AUTOEXEC.NCF is
    processed  during  during  server  boot  AFTER  Directory Services
    loads.  If you can't use LEVEL=3 because of old equipment on  your
    network, it is highly recommended you upgrade, otherwise at  least
    set it to LEVEL=2 and put it in the NCF file as stated above. This
    may not help at all, but I'd at least consider it.

    So for you  folks out there  protecting Netware servers,  move the
    Packet Signature  line up  to the  very front  of AUTOEXEC.NCF, or
    move it into the STARTUP.NCF file. That and load the latest DS.NLM
    (which is at 5.99).  Anything before version 5.95 is vulnerable to
    the spoofing attacks.