COMMAND
Netware - NDS (TTS)
SYSTEMS AFFECTED
Netware 4.x's TTS
PROBLEM
Following was found by Simple Nomad (NMRC). It is possible to
overflow the Transaction Tracking System (TTS) built into Novell
Netware and possibly crash multiple servers. The testing was done
with the following configuration:
Netware 4.11, Service Pack 5B
It was also confirmed on Netware 4.1. All systems had 64MB RAM
and 1 GB drive space.
The Transaction Tracking System (TTS) is used by Novell Netware to
help preserve the integrity of data during a system crash. If a
transaction is in the process of being written to the hard drive
when the system crashes, upon reboot the partial transaction is
backed out preserving the integrity of the original data.
Administrators can optionally flag a file with the TTS flag to add
this protection (typically done with databases, especially those
that have no rollback features). TTS by default tracks 10,000
transactions, and each instance uses a small amount of memory. If
a burst of transactions are sent to the server and the available
memory is exhausted, TTS will disable. While TTS is disabled, no
updates can be made to Netware Directory Services. This can
impact any program or process that updates NDS, such as login. In
extreme overrun cases, such as very large simultaneous (or near
simultaneous, actually) transactions, memory will be depleted
quick enough to crash the server.
This is not entirely uncommon, as any large burst of traffic
updating NDS will cause the problem, such as bringing up a server
after several days of downtime that has a Directory Services
replica on it. Normally this can be corrected by increasing RAM
or lowering the amount of transactions tracked from the maximum
default of 10,000 down to say 5,000 by issuing the command SET
MAXIMUM TRANSACTIONS = 5000 at the console or via ServMan, and
enabling TTS by typing ENABLE TTS at the console. However, a
malicious user with proper access can force the memory depletion
and potentially crash a server that has a replica of the NDS
database. This can lead to multiple near-simultaneous server
crashes.
Of course anyone with administrative access can do this, but they
could obviously do other acts that could be just as destructive,
if not more so. What is needed is the ability to create a large
number of NDS updates very quickly. For example, if a user has
the ability to create a container and add objects to it, them that
user has enough authority to potentially cause problems to TTS.
Creating a container, dropping a few hundred objects into the
container via drag-and-drop and then deleting the container should
suffice. If the server lacks a large amount of free memory, the
server will quite possibly abend. In other cases, TTS is
disabled, which is a form of Denial of Service. As the messages
are sent across to other servers containing NDS replicas, they too
may crash. In test environment NMRC was able to crash two servers
(Netware 4.1 and Netware 4.11) with a the scenario of creating a
container, adding a few hundred users, and then deleting the
container. Thanks to Michel Labelle for notifying NMRC about this
problem.
SOLUTION
NMRC has heard reports of as many as a dozen servers crashing
within a couple of minutes of each other, so apply the latest
Service Pack for Netware 4.x on all servers or upgrade to Netware
5. Per Novell the latest patches for Netware 4.x correct the
problem, and Netware 5 does not have the problem at all.