CVE-2004-2767 in NetWare
Summary
by MITRE
NWFTPD.nlm before 5.04.25 in the FTP server in Novell NetWare does not promptly close DS sessions, which allows remote attackers to cause a denial of service (connection slot exhaustion) by establishing many FTP sessions that persist for the lifetime of a DS session.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/04/2026
The vulnerability described in CVE-2004-2767 represents a critical resource management flaw within Novell NetWare's NWFTPD.nlm FTP server component. This issue affects versions prior to 5.04.25 and demonstrates a fundamental failure in session handling that directly impacts system availability. The vulnerability operates through a specific mechanism where FTP connections maintain persistent DS (Directory Services) sessions without proper cleanup, creating a resource exhaustion condition that can be exploited by malicious actors.
The technical flaw stems from improper session lifecycle management within the FTP server implementation. When remote attackers establish multiple FTP connections, each connection maintains an associated DS session that remains active throughout the entire duration of the FTP session. This design flaw creates a scenario where connection slots become permanently occupied, as the DS sessions are not promptly terminated upon FTP session completion. The persistence of these sessions effectively consumes system resources that should be available for legitimate user connections, leading to a gradual depletion of available connection slots.
This vulnerability directly maps to CWE-400, which addresses "Uncontrolled Resource Consumption" and specifically relates to the improper management of system resources such as connection slots and session handles. The operational impact of this flaw is severe, as it enables a straightforward denial of service attack that requires minimal technical expertise to execute. Attackers can simply establish numerous concurrent FTP connections, causing the system to exhaust its available connection slots and rendering the FTP service unavailable to legitimate users. The persistence of DS sessions means that even after the initial FTP connections are closed, the underlying resource exhaustion continues to impact system performance.
The attack vector operates through network-based exploitation where remote adversaries can leverage the FTP service to establish multiple concurrent connections. This approach aligns with ATT&CK technique T1499.004, which covers "Endpoint Denial of Service" through resource exhaustion attacks. The vulnerability demonstrates a classic case of insufficient resource management where the system fails to implement proper session cleanup mechanisms, creating a persistent availability issue that affects the core functionality of the NetWare FTP service.
Mitigation strategies for this vulnerability require immediate implementation of the vendor-provided patch to upgrade NWFTPD.nlm to version 5.04.25 or later. System administrators should also implement connection limiting measures at the network level to prevent excessive concurrent FTP connections from overwhelming the system. Additionally, monitoring should be established to detect unusual connection patterns that may indicate exploitation attempts. The patch addresses the root cause by implementing proper DS session cleanup mechanisms that ensure connection resources are released promptly upon FTP session termination. Network segmentation and access control measures can further reduce the attack surface by limiting exposure to the vulnerable FTP service and implementing rate limiting for FTP connections to prevent rapid resource exhaustion.