A potentially devastating security leak has been discovered in Novellasswords. NetWare that could give hackers administrative control over any system running both version 3.x and 4.x of the operating system.
The Pandora 2.0 IPX protocol bug has been discovered by US hacker group, Nomad Mobile Research Centre, whose members are all anonymous. The group claims it can break into the heart of Novell Directory Services (NDS), allowing internal hackers to steal passwords from a user's log-in sequence.
Paul Gardner, chairman of the NetWare User Association, explained: "The hacks are based on spoofing IPX client packets using bindery emulation.
If you're using NetWare 3 servers running bindery emulation and NetWare 4 with NDS it is possible, in very specific circumstances, to gain access to the system. It is a backwards compatibility issue. However, if you using IP, NetWare 5, or if you turn off bindery emulation, most of the hacks don't work."
Andy Mulholland, analyst at Cap Gemini, said, "There was a lot of work involved in re-organising the file structure from NetWare 3 to NetWare 4 so many companies adopted one file server for managing NetWare 4, leaving the others running version 3 and its bindery. There will be hundreds of SMEs and departments within large corporates in this position."
Derek Venter, platforms and NDS product manager at Novell, blames the shortage of qualified IT staff: "In the UK, people have not learned about NetWare 4 as the rest of the technical community has around the world.
My main criticism is they are not technical enough to realise that NetWare 4 is easier to use than version 3."
Novell said that, in addition to switching off bindery emulation, customers could prevent Pandora attacks by setting the client and server signature level to three - the highest level. Novell stated that a hack could only be conducted internally by someone with access to the NetWare LAN.
Mulholland pointed out that: "Internal security breaches are more of a threat than external ones; its often employees thinking they're being a bit mischievous and it goes too far. Or it could be ex-employees harbouring a grudge."
The latest Pandora hack, v3.0, was released in mid-July but Novell said that Support Pack 5b, available now, advises users on how to prevent Pandora security breeches.
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance