// For flags

CVE-2010-4227

Novell Netware RPC XNFS xdrDecodeString Remote Code Execution Vulnerability

Severity Score

10.0
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

4
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The xdrDecodeString function in XNFS.NLM in Novell Netware 6.5 before SP8 allows remote attackers to cause a denial of service (abend) or execute arbitrary code via a crafted, signed value in a NFS RPC request to port UDP 1234, leading to a stack-based buffer overflow.

La función xdrDecodeString en XNFS.NLM en Novell Netware v6.5 anterior a SP8 permite a atacantes remotos provocar una denegación de servicio o ejecutar código arbitrario a través de un valor firmado manipulado en una peticion RPC NFS para el puerto UDP 1234, dando lugar a un desbordamiento de búfer basado en pila.

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell Netware. Authentication is not required to exploit this vulnerability.
The flaw exists within the XNFS.NLM component which listens by default on UDP port 1234. When handling the an NFS RPC request the xdrDecodeString function uses a user supplied length value to null terminate a string. This value can be signed allowing the NULL byte to be written at an arbitrary address. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the system.

*Credits: Francis Provencher for Protek Researchh Lab's
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2010-11-10 CVE Reserved
  • 2011-02-18 CVE Published
  • 2011-02-24 First Exploit
  • 2024-03-13 EPSS Updated
  • 2024-08-07 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Novell
Search vendor "Novell"
 Netware
Search vendor "Novell" for product "Netware"
 <= 6.5
Search vendor "Novell" for product "Netware" and version " <= 6.5"
sp7
Affected
Novell
Search vendor "Novell"
 Netware
Search vendor "Novell" for product "Netware"
 6.5
Search vendor "Novell" for product "Netware" and version "6.5"
-
Affected
Novell
Search vendor "Novell"
 Netware
Search vendor "Novell" for product "Netware"
 6.5
Search vendor "Novell" for product "Netware" and version "6.5"
sp1
Affected
Novell
Search vendor "Novell"
 Netware
Search vendor "Novell" for product "Netware"
 6.5
Search vendor "Novell" for product "Netware" and version "6.5"
sp2
Affected
Novell
Search vendor "Novell"
 Netware
Search vendor "Novell" for product "Netware"
 6.5
Search vendor "Novell" for product "Netware" and version "6.5"
sp3
Affected
Novell
Search vendor "Novell"
 Netware
Search vendor "Novell" for product "Netware"
 6.5
Search vendor "Novell" for product "Netware" and version "6.5"
sp4
Affected
Novell
Search vendor "Novell"
 Netware
Search vendor "Novell" for product "Netware"
 6.5
Search vendor "Novell" for product "Netware" and version "6.5"
sp5
Affected
Novell
Search vendor "Novell"
 Netware
Search vendor "Novell" for product "Netware"
 6.5
Search vendor "Novell" for product "Netware" and version "6.5"
sp6
Affected