Novell GroupWise Messenger versions 2.0.3 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges.
The vulnerability affects GroupWise Messenger clients and exists due to an input validation error when handling responses from a GroupWise Messenger servers. An unauthenticated, remote attacker could exploit this vulnerability to cause a buffer overflow by sending spoofed GroupWise Messenger server responses to the target system. The buffer overflow could cause a DoS condition or allow the attacker to execute arbitrary code with elevated privileges.
Proof-of-concept code is available.
Novell has confirmed this vulnerability and released updated software.