BID:12390

Novell iChain OACINT Insecure Default Configuration Exposure

Info

Novell iChain OACINT Insecure Default Configuration Exposure

Bugtraq ID:	12390
Class:	Configuration Error
CVE:
Remote:	Yes
Local:	No
Published:	Jan 27 2005 12:00AM
Updated:	Jan 27 2005 12:00AM
Credit:	This exposure was announced by the vendor.
Vulnerable:	Novell iChain Server 2.3 Novell iChain Server 2.2 SP3 Novell iChain Server 2.2 SP2 Novell iChain Server 2.2 SP1

Not Vulnerable:

Discussion

Novell iChain OACINT Insecure Default Configuration Exposure

It is reported that by default the Novell iChain OACINT service will bind to all available interfaces. This behavior has been modified, by default the service now binds to the loopback interface only. This eliminates the exposure of the service to potentially hostile networks.

Exploit / POC

Novell iChain OACINT Insecure Default Configuration Exposure

No exploit is required.

Solution / Fix

Novell iChain OACINT Insecure Default Configuration Exposure

Solution:
The vendor has released an advisory (TID2970619) and a support pack to address this exposure:

Novell iChain Server 2.2 SP3

Novell ic23sp2.exe
http://support.novell.com/servlet/filedownload/sec/pub/ic23sp2.exe

Novell iChain Server 2.2 SP1

Novell ic23sp2.exe
http://support.novell.com/servlet/filedownload/sec/pub/ic23sp2.exe

Novell iChain Server 2.2 SP2

Novell ic23sp2.exe
http://support.novell.com/servlet/filedownload/sec/pub/ic23sp2.exe

Novell iChain Server 2.3

Novell ic23sp2.exe
http://support.novell.com/servlet/filedownload/sec/pub/ic23sp2.exe

References

Novell iChain OACINT Insecure Default Configuration Exposure

References:

TID2970619 - iChain 2.3 Support Pack 2 (Novell)