COMMAND
The Network
SYSTEMS AFFECTED
Novell Netware 5.x
PROBLEM
Following isbased on NMRC Advisory. Using sniffing techniques is
it possible to recover files during the transfer between server
and workstation. Testing was done with the following
configuration:
Novell Netware 5.x
Service Pack 6
The Packet Signature feature of Netware simply signs packets, and
affords no encryption. This means files that are moved from
server to workstation can be copied on the fly by a rogue
workstation using sniffing techniques. Even in burst mode the
files can still be grabbed. Proof of concept code is included in
the recently released Pandora v4 Beta 2.
Any file that is transferred across the network can potentially be
sniffed. This includes everything from executables being run to
system administration files (such as NCF files) that are
downloaded, to say nothing about the myriad of Word documents, NT
profiles, Excel spreadsheets, and anything else that gets loaded
up into a workstation's RAM (or transferred to the hard disk).
NMRC do realize this is not a new issue, as it has always been
around. They just made it a little easier to do this on the fly.
SOLUTION
Two approaches will work to prevent this type of attack. First
off, if you are in a switched environment, sniffing attacks will
not work, so you could move to switched Ethernet as a possible
solution. Secondly, you could configure all of your servers with
BorderManager VPN 3 and make all client machines authenticate
that way. Granted if you have a large shop this will require
larger servers, touching every client, etc. and then making sure
you specifically configure the VPN software to encrypt everything
(BorderManager allows you to select what gets encrypted to help
improve throughput). NMRC did not test these workarounds, but
logically they should work.