Advisory Details

May 19th, 2014

(0Day) Novell NetIQ Sentinel Agent Manager NQMcsVarSet DumpToFile Remote Code Execution Vulnerability


CVE ID CVE-2014-3460
AFFECTED PRODUCTS NetIQ Sentinel Agent Manager

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell NetIQ. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the NQMcsVarSet ActiveX control. The control exposes the DumpToFile method. The method does not properly sanitize the path for the filename, allowing for directory traversal. An attacker can leverage this vulnerability to write files under the context of the current process, which can then be used to execute code under the context of the current user.

VENDOR RESPONSE Novell states:

This vulnerability is being disclosed publicly without a patch in accordance with the ZDI vulnerability disclosure policy on lack of vendor response.

Vendor Contact Timeline:
09/04/2013 - Case disclosed to vendor
03/31/2014 - ZDI sent follow-up to, no reply
04/08/2014 - ZDI sent follow-up to, no reply
04/16/2014 - ZDI sent follow-up to, no reply (apparently an old address)
04/18/2014 - ZDI sent follow-up to (new address), no reply
04/23/2014 - ZDI sent follow-up to
04/24/2014 - Vendor replied and request for a number to call to discuss this
04/24/2014 - ZDI replied with phone number, but received no call in response
05/19/2014 - ZDI publicly disclosed

-- Mitigation:
The killbit can be set on this control to disable scripting within Internet Explorer by modifying the data value of the Compatibilty Flags DWORD within the following location in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\B4B7CF9E-AD9E-11D8-AE3B-005056C00008
If the Compatibility Flags value is set to 0x00000400, the control can no longer be instantiated inside the browser.
For more information, please see:

Vendor Patch:
Vendor has issued an update to correct this vulnerability. More details can be found at:

  • 2013-09-04 - Initial contact attempt with vendor
  • 2014-05-19 - Public release of advisory
CREDIT Andrea Micalizzi aka rgod