Title: Navision Financials Server DoS Vulnerability
Severity: MODERATE
Description:
Navision Financials server is a financial management system with internet-enabled components. Financials includes a server program, used for handling data from remote hosts. This server listens on port 2407.
A denial of service vulnerability exists in this server. An attacker sending invalid input (a 'null' followed by a large amount of arbitrary characters) to port 2407 will cause the 'SERVER.EXE' process to terminate. It is believed that this is the result of a buffer overflow condition. If this is the case, it may be possible for an attacker to execute arbitrary code through this vulnerability.
It has been shown that this vulnerability can be exploited as a DoS in at least two ways. An attacker can make a connection to the server and send a null byte followed by approximately 30K of data. An attacker can also send smaller amounts of data following a null byte over multiple, concurrent connections to the server (for example, approximately 100 bytes over 10 connections). Following successful attacks, the server process 'SERVER.EXE' will terminate and a denial of service will occur.
Both scenarios allow a remote denial of service attack on Navision Financials and possibly other applications depending on it.
A restart of the server is required in order to gain normal functionality.
Affected Products:
- Navision Financials Server 2.50.0
- Navision Financials Server 2.60.0
References:
- Navision: Navision Financials Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
