发布时间 :2006-03-23 06:06:00
修订时间 :2016-08-30 21:59:03

[原文]The SSL server implementation in NILE.NLM in Novell NetWare 6.5 and Novell Open Enterprise Server (OES) sometimes selects a weak cipher instead of an available stronger cipher, which makes it easier for remote attackers to sniff and decrypt an SSL protected session.

[CNNVD]Novell NetWare和Novell 'NILE.NLM' 开放服务器弱密码代替SSL会话漏洞(CNNVD-200603-402)

        在Novell NetWare 6.5和Novell 开放服务器(OES)的NILE.NLM中的SSL服务器实施,有时用一个弱密码代替一个已获得的较强密码,这使得远程攻击者更易于嗅探和解密一个SSL保护会话。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:novell:netware:6.5:sp2Novell NetWare 6.5 Service Pack 2
cpe:/a:novell:open_enterprise_serverNovell Open Enterprise Server
cpe:/o:novell:netware:6.5:sp1Novell NetWare 6.5 Service Pack 1
cpe:/o:novell:netware:6.5:sp4Novell NetWare 6.5 Service Pack 4
cpe:/o:novell:netware:6.5:sp3Novell NetWare 6.5 Service Pack 3
cpe:/o:novell:netware:6.5Novell NetWare 6.5

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BID  17176
(UNKNOWN)  BID  64758
(UNKNOWN)  VUPEN  ADV-2006-1043
(UNKNOWN)  XF  netware-nile-weak-encryption(25381)

- 漏洞信息

Novell NetWare和Novell 'NILE.NLM' 开放服务器弱密码代替SSL会话漏洞
中危 设计错误
2006-03-23 00:00:00 2006-03-23 00:00:00
        在Novell NetWare 6.5和Novell 开放服务器(OES)的NILE.NLM中的SSL服务器实施,有时用一个弱密码代替一个已获得的较强密码,这使得远程攻击者更易于嗅探和解密一个SSL保护会话。

- 公告与补丁


- 漏洞信息

Novell NetWare NILE.NLM SSL Server Unspecified Weak Encryption Support
Remote / Network Access Cryptographic
Loss of Confidentiality
Exploit Unknown

- 漏洞描述

Novell NetWare and Novell Open Enterprise Server contains a unspecified flaw that may allow a malicious user to use a less secure SSL connection. The issue is triggered because SSL server implementation in NILE.NLM sometimes selects a weak cipher instead of an available stronger cipher. It is possible that the flaw may allow remote attackers to decrypt contents of an SSL protected session resulting in a loss of confidentiality.

- 时间线

2006-03-17 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, vendor has released a patch NILE65SP5A.EXE to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete