Vulnerability Name:

CVE-2007-5667 (CCN-38434)

Assigned:2007-11-12
Published:2007-11-12
Updated:2021-07-07
Summary:NWFILTER.SYS in Novell Client 4.91 SP 1 through SP 4 for Windows 2000, XP, and Server 2003 makes the \.\nwfilter device available for arbitrary user-mode input via METHOD_NEITHER IOCTLs, which allows local users to gain privileges by passing a kernel address as an argument and overwriting kernel memory locations.
CVSS v3 Severity:9.3 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.3 Medium (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.3 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-20
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2007-5667

Source: IDEFENSE
Type: UNKNOWN
20071112 Novell NetWare Client NWFILTER.SYS Local Privilege Escalation Vulnerability

Source: OSVDB
Type: UNKNOWN
40867

Source: CCN
Type: SA27678
Novell Client NWFILTER.SYS Privilege Escalation Vulnerability

Source: SECUNIA
Type: Patch, Vendor Advisory
27678

Source: CCN
Type: SECTRACK ID: 1018943
Novell Client Lets Local Users Gain Kernel Level Privileges

Source: CCN
Type: OSVDB ID: 40867
Novell Client NWFILTER.SYS Local Privilege Escalation

Source: BID
Type: UNKNOWN
26420

Source: CCN
Type: BID-26420
Novell Client for Windows NWFILTER.SYS Local Privilege Escalation Vulnerability

Source: SECTRACK
Type: UNKNOWN
1018943

Source: VUPEN
Type: UNKNOWN
ADV-2007-3846

Source: XF
Type: UNKNOWN
novell-client-nwfilter-privilege-escalation(38434)

Source: XF
Type: UNKNOWN
novell-client-nwfilter-privilege-escalation(38434)

Source: CCN
Type: iDefense Labs PUBLIC ADVISORY: 11.12.07
Novell NetWare Client NWFILTER.SYS Local Privilege Escalation Vulnerability

Source: CCN
Type: Novell Security Alert 3260263
Architectural and security problems with NWFILTER.SYS

Source: CONFIRM
Type: Patch
https://secure-support.novell.com/KanisaPlatform/Publishing/98/3260263_f.SAL_Public.html

Vulnerable Configuration:Configuration 1:
  • cpe:/o:microsoft:windows_2000:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2003:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2003:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2003:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2003:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:*:pro:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:*:tablet_pc:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2000:*:*:adv_srv:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2000:*:*:datacenter_srv:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2000:*:*:pro:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:*:*:std:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2003:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:*:64bit:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:*:embedded:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2000:*:*:srv:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2000:*:*:srv:ja:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:*:*:wed:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:*:*:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:*:ibm_oem:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:*:media_center:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2003:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2003:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:*:*:itanium:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:*:*:x64-std:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:*:*:xp-64bit:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:*:x64:*:*:*:*:*
  • AND
  • cpe:/a:novell:client:4.91:sp2:*:*:*:*:*:*
  • OR cpe:/a:novell:client:4.91:sp3:*:*:*:*:*:*
  • OR cpe:/a:novell:client:4.91:sp4:*:*:*:*:*:*
  • OR cpe:/a:novell:client:4.91:sp1:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:novell:client:4.91:sp4:*:*:*:*:*:*
  • OR cpe:/a:novell:client:4.91:sp3:*:*:*:*:*:*
  • OR cpe:/a:novell:client:4.91:sp2:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    microsoft windows 2000 -
    microsoft windows server 2003 *
    microsoft windows server 2003 *
    microsoft windows server 2003 *
    microsoft windows server 2003 *
    microsoft windows xp *
    microsoft windows xp *
    microsoft windows 2000 *
    microsoft windows 2000 *
    microsoft windows 2000 *
    microsoft windows 2003 server *
    microsoft windows server 2003 *
    microsoft windows xp *
    microsoft windows xp *
    microsoft windows 2000 *
    microsoft windows 2000 *
    microsoft windows 2003 server *
    microsoft windows 2003 server *
    microsoft windows xp *
    microsoft windows xp *
    microsoft windows 2003 server -
    microsoft windows xp -
    microsoft windows server 2003 *
    microsoft windows 2003 server *
    microsoft windows 2003 server *
    microsoft windows 2003 server *
    microsoft windows xp *
    novell client 4.91 sp2
    novell client 4.91 sp3
    novell client 4.91 sp4
    novell client 4.91 sp1
    novell client 4.91 sp4
    novell client 4.91 sp3
    novell client 4.91 sp2