_______________________________________________________________________________ Nomad Mobile Research Centre A D V I S O R Y www.nmrc.org Simple Nomad [thegnome@nmrc.org] 12May1998 _______________________________________________________________________________ Platform : Netware 4.x Application : NDS Severity : High Synopsis -------- It is possible to overflow the Transaction Tracking System (TTS) built into Novell Netware and possibly crash multiple servers. Tested configuration -------------------- The testing was done with the following configuration: Netware 4.11, Service Pack 5B Also confirmed on Netware 4.1. All systems had 64MB RAM and 1 GB drive space. Bug(s) report ------------- The Transaction Tracking System (TTS) is used by Novell Netware to help preserve the integrity of data during a system crash. If a transaction is in the process of being written to the hard drive when the system crashes, upon reboot the partial transaction is backed out preserving the integrity of the original data. Administrators can optionally flag a file with the TTS flag to add this protection (typically done with databases, especially those that have no rollback features). TTS by default tracks 10,000 transactions, and each instance uses a small amount of memory. If a burst of transactions are sent to the server and the available memory is exhausted, TTS will disable. While TTS is disabled, no updates can be made to Netware Directory Services. This can impact any program or process that updates NDS, such as login. In extreme overrun cases, such as very large simultaneous (or near simultaneous, actually) transactions, memory will be depleted quick enough to crash the server. This is not entirely uncommon, as any large burst of traffic updating NDS will cause the problem, such as bringing up a server after several days of downtime that has a Directory Services replica on it. Normally this can be corrected by increasing RAM or lowering the amount of transactions tracked from the maximum default of 10,000 down to say 5,000 by issuing the command SET MAXIMUM TRANSACTIONS = 5000 at the console or via ServMan, and enabling TTS by typing ENABLE TTS at the console. However, a malicious user with proper access can force the memory depletion and potentially crash a server that has a replica of the NDS database. This can lead to multiple near-simultaneous server crashes. Of course anyone with administrative access can do this, but they could obviously do other acts that could be just as destructive, if not more so. What is needed is the ability to create a large number of NDS updates very quickly. For example, if a user has the ability to create a container and add objects to it, them that user has enough authority to potentially cause problems to TTS. Creating a container, dropping a few hundred objects into the container via drag-and-drop and then deleting the container should suffice. If the server lacks a large amount of free memory, the server will quite possibly abend. In other cases, TTS is disabled, which is a form of Denial of Service. As the messages are sent across to other servers containing NDS replicas, they too may crash. In our test environment we were able to crash two servers (Netware 4.1 and Netware 4.11) with a the scenario of creating a container, adding a few hundred users, and then deleting the container. Solution/Workaround ------------------- NMRC has heard reports of as many as a dozen servers crashing within a couple of minutes of each other, so apply the latest Service Pack for Netware 4.x on all servers or upgrade to Netware 5. Comments -------- Novell has already been notified and they are obviously aware of the TTS limitations (refer to the May 1997 TID 2908153 at http://support.novell.com/cgi-bin/search/tidfinder.cgi?2908153 for an example). Per Novell the latest patches for Netware 4.x correct the problem, and Netware 5 does not have the problem at all. Thanks to Michel Labelle for notifying NMRC about this problem. _______________________________________________________________________________