CVE-1999-1086

Vulnerability

In Novell NetWare 5 and earlier (including 4.x) running over IPX, fragmented NCP calls (type 0x68) are not cryptographically signed when the packet signature level is set below 3 [1]. This allows an attacker to forge the source MAC address of an administrator and inject arbitrary NCP requests.

Exploitation

An attacker must be on the same IPX network segment to observe or spoof MAC addresses. By capturing the MAC address of an authenticated administrator, the attacker can craft fragmented IPX packets with that spoofed MAC and send NCP calls that the server will accept as coming from the legitimate admin [1]. No additional authentication or user interaction is required.

Impact

Successful exploitation grants the attacker full administrator privileges on the target NetWare server. The attacker can execute any NCP call, including creating or deleting users, modifying files, and compromising the entire NDS tree [1].

Mitigation

Set the packet signature level to 3 on both the server and all clients. This forces all NCP packets, including fragmented ones, to be signed and verified [1]. Alternatively, migrate from IPX to NetWare/IP, which does not rely on MAC address trust. Novell had not released a complete fix at the time of the advisory [1].