TUCoPS :: Unix :: General :: ca-9905.txt

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CERT Advisory CA-99-05 Vulnerability in statd exposes vulnerability in
automountd
 Original issue date: June 9, 1999
 Source: CERT/CC
 Revised Date: July 22, 1999
 Added link to IN-99-04 in the "Description" section.
 
Systems Affected
 Systems running older versions of rpc.statd and automountd
 
I. Description
 This advisory describes two vulnerabilities that are being used
 together by intruders to gain access to vulnerable systems. The first
 vulnerability is in rpc.statd, a program used to communicate state
 changes among NFS clients and servers. The second vulnerability is in
 automountd, a program used to automatically mount certain types of
 file systems. Both of these vulnerabilities have been widely discussed
 on public forums, such as BugTraq, and some vendors have issued
 security advisories related to the problems discussed here. Because of
 the number of incident reports we have received, however, we are
 releasing this advisory to call attention to these problems so that
 system and network administrators who have not addressed these
 problems do so immediately. For more information about attacks using
 various RPC services please see CERTョ Incident Note IN-99-04
 http://www.cert.org/incident_notes/IN-99-04.html
 
 The vulnerability in rpc.statd allows an intruder to call arbitrary
 rpc services with the privileges of the rpc.statd process. The called
 rpc service may be a local service on the same machine or it may be a
 network service on another machine. Although the form of the call is
 constrained by rpc.statd, if the call is acceptable to another rpc
 service, the other rpc service will act on the call as if it were an
 authentic call from the rpc.statd process.
 
 The vulnerability in automountd allows a local intruder to execute
 arbitrary commands with the privileges of the automountd process. This
 vulnerability has been widely known for a significant period of time,
 and patches have been available from vendors, but many systems remain
 vulnerable because their administrators have not yet applied the
 appropriate patches.
 
 By exploiting these two vulnerabilities simultaneously, a remote
 intruder is able to "bounce" rpc calls from the rpc.statd service to
 the automountd service on the same targeted machine. Although on many
 systems the automountd service does not normally accept traffic from
 the network, this combination of vulnerabilities allows a remote
 intruder to execute arbitrary commands with the administrative
 privileges of the automountd service, typically root.
 
 Note that the rpc.statd vulnerability described in this advisory is
 distinct from the vulnerabilities described in CERT Advisories
 CA-96.09 and CA-97.26.
 
II. Impact
 The vulnerability in rpc.statd may allow a remote intruder to call
 arbitrary rpc services with the privileges of the rpc.statd process,
 typically root. The vulnerablility in automountd may allow a local
 intruder to execute arbitrary commands with the privileges of the
 automountd service.
 
 By combining attacks exploiting these two vulnerabilities, a remote
 intruder is able to execute arbitrary commands with the privileges of
 the automountd service.
 
Note
 It may still be possible to cause rpc.statd to call other rpc services
 even after applying patches which reduce the privileges of rpc.statd.
 If there are additional vulnerabilities in other rpc services
 (including services you have written), an intruder may be able to
 exploit those vulnerabilities through rpc.statd. At the present time,
 we are unaware of any such vulnerabilitity that may be exploited
 through this mechanism.
 
III. Solutions
 Install a patch from your vendor
 
 Appendix A contains input from vendors who have provided information
 for this advisory. We will update the appendix as we receive more
 information. If you do not see your vendor's name, the CERT/CC did not
 hear from that vendor. Please contact your vendor directly.
 
Appendix A: Vendor Information
 Caldera
 
 Caldera's currently not shipping statd.
 
 Compaq Computer Corporation
 
 (c) Copyright 1998, 1999 Compaq Computer Corporation. All rights
 reserved.
 SOURCE: Compaq Computer Corporation
 Compaq Services
 Software Security Response Team USA
 This reported problem has not been found to affect the as
 shipped, Compaq's Tru64/UNIX Operating Systems Software.
 - Compaq Computer Corporation
 
 Data General
 
 We are investigating. We will provide an update when our
 investigation is complete.
 
 Hewlett-Packard Company
 
 HP is not vulnerable.
 
 The Santa Cruz Operation, Inc.
 
 No SCO products are vulnerable.
 
 Silicon Graphics, Inc.
 
 % IRIX
 
 % rpc.statd
 IRIX 6.2 and above ARE NOT vulnerable.
 IRIX 5.3 is vulnerable, but no longer supported.
 % automountd
 With patches from SGI Security Advisory
 19981005-01-PX installed,
 IRIX 6.2 and above ARE NOT vulnerable.
 
 % Unicos
 
 Currently, SGI is investigating and no further information
 is
 available for public release at this time.
 
 As further information becomes available, additional
 advisories
 will be issued via the normal SGI security information
 distribution
 method including the wiretap mailing list.
 SGI Security Headquarters
 http://www.sgi.com/Support/security
 
 Sun Microsystems Inc.
 
 The following patches are available:
 rpc.statd:
 Patch OS Version
 _____ __________
 106592-02 SunOS 5.6
 106593-02 SunOS 5.6_x86
 104166-04 SunOS 5.5.1
 104167-04 SunOS 5.5.1_x86
 103468-04 SunOS 5.5
 103469-05 SunOS 5.5_x86
 102769-07 SunOS 5.4
 102770-07 SunOS 5.4_x86
 102932-05 SunOS 5.3
 The fix for this vulnerability was integrated in SunOS
 5.7 (Solaris 7) before it was released.
 automountd:
 104654-05 SunOS 5.5.1
 104655-05 SunOS 5.5.1_x86
 103187-43 SunOS 5.5
 103188-43 SunOS 5.5_x86
 101945-61 SunOS 5.4
 101946-54 SunOS 5.4_x86
 101318-92 SunOS 5.3
 SunOS 5.6 (Solaris 2.6) and SunOS 5.7 (Solaris 7) are not
 vulnerable.
 Sun security patches are available at:
 
 http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-li
 cense&nav=pub-patches
 _______________________________________________________________
 
 Our thanks to Olaf Kirch of Caldera for his assistance in
 helping us understand the problem and Chok Poh of Sun
 Microsystems for his assistance in helping us construct this
 advisory.
 _______________________________________________________________
 
 This document is available from:
 http://www.cert.org/advisories/CA-99-05-statd-automountd.html.
 _______________________________________________________________
 
CERT/CC Contact Information
 Email: cert@cert.org
 Phone: +1 412-268-7090 (24-hour hotline)
 Fax: +1 412-268-6989
 Postal address:
 CERT Coordination Center
 Software Engineering Institute
 Carnegie Mellon University
 Pittsburgh PA 15213-3890
 U.S.A.
 
 CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
 EDT(GMT-4) Monday through Friday; they are on call for
 emergencies during other hours, on U.S. holidays, and on
 weekends.
 
Using encryption
 We strongly urge you to encrypt sensitive information sent by
 email. Our public PGP key is available from
 http://www.cert.org/CERT_PGP.key. If you prefer to use DES,
 please call the CERT hotline for more information.
 
Getting security information
 CERT publications and other security information are available
 from our web site http://www.cert.org/.
 
 To be added to our mailing list for advisories and bulletins,
 send email to cert-advisory-request@cert.org and include
 SUBSCRIBE your-email-address in the subject of your message.
 
 Copyright 1999 Carnegie Mellon University.
 Conditions for use, disclaimers, and sponsorship information
 can be found in http://www.cert.org/legal_stuff.html.
 
 * "CERT" and "CERT Coordination Center" are registered in the
 U.S. Patent and Trademark Office
 _______________________________________________________________
 
 NO WARRANTY
 Any material furnished by Carnegie Mellon University and the
 Software Engineering Institute is furnished on an "as is"
 basis. Carnegie Mellon University makes no warranties of any
 kind, either expressed or implied as to any matter including,
 but not limited to, warranty of fitness for a particular
 purpose or merchantability, exclusivity or results obtained
 from use of the material. Carnegie Mellon University does not
 make any warranty of any kind with respect to freedom from
 patent, trademark, or copyright infringement.
 
 Revision History
 
 July 22, 1999 Added link to IN-99-04 in the "Description" section.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBOBCTOVr9kb5qlZHQEQLXyACgjf1IPcgld3mB710DpRLUH/d5GvwAnR9f
Wzgyuuo0Bp2BZuvFc4Vc9tO6
=Mw7B
-----END PGP SIGNATURE-----