NetWare 3.11 users are advised to lock up their file servers following the posting of a security-cracking NetWare Loadable Module to the Internet. Source code for the Module, which once loaded and run changes the Supervisor password to supervisor, was posted on the comp.sys.novell news group at the beginning of the month by a researcher at the University of Texas. The news group is widely read worldwide. The original intent, apparently, was to aid systems integrators and support organisations that have to deal with forgetful supervisors, according to Systems & Network Integration, which originally reported the posting. The magazine said that the message was only on the Net for a couple of days, and the UK sites that our sister publication, Network Week, logged into, said the offending message had expired already. NetWare is not particularly secure and it has been long-known that anyone with physical access to the server could re-boot the machine from an MS-DOS disk and then fiddle about with security files before restarting it. The NetWare Loadable Module is a rather more serious threat though, since it both simplifies the process and in the worst case, removes the need for a miscreant to have physical access to the server at all. That scenario becomes realistic when the network manager has installed the ‘Remote’ NetWare Module on the file server. Using this and the associated Rconsole application, client workstations become the exact equivalent of the console, including the ability to load Modules. It is possible to add password protection to the remote console facility and indeed password-lock the physical console, but the fact that the rogue Module relies on well known techniques to uncover security files does leave the network operating system looking uncomfortably vulnerable. For those that have forgotten their password and don’t have a copy of the NetWare Loadable Module, independent consultant Richard Thomas points out that Novell’s Provo, Utah headquarters can help. The company has its own version of the Module which it ships to distressed users who can supply the serial number of their copy of NetWare. According to Thomas, once the Module is received, a phone call to Novell elicits a password, valid for just 30 minutes, which enables the supervisor password to be changed.
