SEC Consult SA-20141219-0 :: XSS & Memory Disclosure vulnerabilities- in NetIQ eDirectory NDS iMonitor

From: SEC Consult Vulnerability Lab <>
Subject: SEC Consult SA-20141219-0 :: XSS & Memory Disclosure vulnerabilities- in NetIQ eDirectory NDS iMonitor

SEC Consult Vulnerability Lab Security Advisory < 20141219-0 >
              title: XSS & Memory Disclosure
            product: NetIQ eDirectory NDS iMonitor
 vulnerable version: 8.8 SP8, 8.8 SP7
      fixed version: 8.8 SP8 HF 4,
                     fix available for versions 8.8 SP7 ( HF 4,
            HF 3)
         CVE number: CVE-2014-5212, CVE-2014-5213
             impact: High
              found: 2014-10-29
                 by: W. Ettlinger
                     SEC Consult Vulnerability Lab

Vendor description:
"eDirectory(TM) is a full-service, secure LDAP directory providing incredible
scalability and an agile platform to run your organization's identity
infrastructure and multi-platform network services."


Business recommendation:
An attacker without an account on the NetIQ eDirectory NDS iMonitor is able
to gain administrative access by luring an authenticated administrator to
visit an attacker-controlled web site. Moreover, an authenticated attacker
is able to retrieve internal data which potentially contains sensitive

As the NetIQ eDirectory is often used to maintain a centralized user database
it is a very attractive target for an attacker. By compromising this system,
an attacker may be able to conduct further attacks on other systems.

SEC Consult recommends to immediately conduct a full security review of
this software, especially if used as a centralized user database.

Vulnerability overview/description:
1) Memory Disclosure (CVE-2014-5213)
Using crafted HTTP requests an administrative user can retrieve parts of the
virtual memory from the service. This potentially discloses secret data like

2) Reflected Cross Site Scripting (XSS, CVE-2014-5212)
A reflected cross site scripting vulnerability was identified. An attacker
could take over the user account of a valid administrator.

Proof of concept:
1) Memory Disclosure (CVE-2014-5213)
When accessing the following URL as an authenticated user, parts of the virtual
memory can be retrieved:


2) Reflected Cross Site Scripting (XSS, CVE-2014-5212)
The following URL demonstrates a reflected XSS flaw:


Vulnerable / tested versions:
The vulnerabilities have been verified to exist in the NetIQ eDirectory NDS
iMonitor version 8.8 SP8, which was the most recent version at the time of

Vendor contact timeline:
2014-10-29: Contacting, sending responsible disclosure
            policy and PGP keys
2014-10-29: Vendor redirects to, providing PGP keys
            through Novell support page
2014-10-30: Sending encrypted security advisory to Novell
2014-10-30: Novell acknowledges the receipt of the advisory
2014-11-18: Novell: the vulnerabilities have been fixed by development; the
            patches will be release end of November
2014-12-08: Novell: the release has been pushed to Dec. 8th
2014-12-09: Novell: the release should be released tomorrow;
            The hotfix for is still pending
2014-12-17: Verifying release of advisory; asking whether patches have been
2014-12-18: Novell: Patches have been released
2014-12-19: Coordinated release of security advisory

Update to the release or apply fix for versions 8.8 SP 7.

No workaround available.

Advisory URL:

SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich

Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com

Interested to work with the experts of SEC Consult?
Write to

EOF W. Ettlinger / @2014

Copyright © 1995-2019 All rights reserved.