COMMAND

    Netscape Directory Server

SYSTEMS AFFECTED

    - Netscape Directory Server 4.1 (bundled with Netscape Messaging Server)
    - Netscape Directory Server 4.12 (may be DoS only)

PROBLEM

    Following is based on  a @stake Advisory Notification  (A030701-1)
    by Frank Swiderski.  The Netscape Directory Server that comes with
    Netscape  Messaging  Server  4.15SP3  is  vulnerable  to  a buffer
    overflow condition if a specially crafted query is received.   The
    Directory Server  is used  to store  various user  information for
    Messenger.  The overflow can result in either a denial of  service
    or arbitrary  code execution  on the  server.   Netscape Directory
    Server 4.12 is  also subject to  the same overflow,  however, code
    execution  may  or  may  not  be  possible due to the location the
    resultant string is copied to.

    Note that  Netscape Messanging  Service will  ask for  a directory
    server to use during installation; by default it will install  and
    use its own copy of Directory Server 4.1.  The Messanging  service
    also  enables  services  which  use  the Directory Server, such as
    SMTPD, by default.  Both  the Messanging Server and the  Directory
    server  are  available  for  many  flavors  of Unix as well as for
    Windows NT, and are commonly used for managing corporate email.

    For more information on LDAP and its protocols, ldapman.org has an
    excellent collection of LDAP RFC links at

        http://ldapman.org/ldap_rfcs.html

    For SMTP, see RFC-821 and RFC-822.

    The exposure to  existing customers is  isolated to the  Directory
    Server 4.11  and 4.12  products.   As reported,  the overflow  can
    result in either a denial  of service or arbitrary code  execution
    on the server.  Netscape Directory Server 4.12 is also subject  to
    the same denial  of service overflow,  however, code execution  is
    not possible.

    The Netscape Mail Server 4.15p3 issue of a buffer overflow in  the
    SMTP session has been resolved in a fix in the NMS 4.15p4 release.
    This fix limits the line size of any given command in SMTP command
    mode.  Should  you send a  very long (>  16KB) line to  the MTA in
    command mode,  you will  get a  disconnect with  a reply  of 550 +
    text.

    The iPlanet Messaging Server 5.0 release bundles Directory  Server
    4.12, and it also requires  the upgrade to Directory Server  4.13.
    Messaging  Server  5.0  does  not  contain  the  same SMTP session
    overflow issue.

    Original advisory:

        http://www.atstake.com/research/advisories/2001/a030701-1.txt

SOLUTION

    iPlanet Directory Server  (iDS) Support greatly  appreciates these
    issues being brought to their attention.  These issues do occur in
    the following iPlanet products:

    For all products, an immediate upgrade to Directory Server 4.13 is
    available through the  iPlanet Support Channel.   In addition,  NS
    recommends NMS 4.15 customers upgrade to Patch 4.