TUCoPS :: Unix :: General
:: ciaci017.txt
Statd Buffer Overrun Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
statd Buffer Overrun Vulnerability
May 6, 1998 22:00 GMT Number I-017a
______________________________________________________________________________
PROBLEM: Information has been received concerning a vulnerability in the
statd(1M) program.
PLATFORM: Various Unix platforms:
BSDI Not Vulnerable
Digital Equip. Corp. UNIX V3.2g thru V4.0d
Hewlett Packard unknown at this time
IBM Corporation AIX 3.2 and 4.1
The NetBSD Project Not Vulnerable
Red Hat Software Not Vulnerable
Sun Microsystems 5.5.1, 5.5.1_x86, 5.5, 5.5_x86, 5.4
5.4._x86, 4.1.4, and 4.1.3_U1.
Sun Microsystems Not Vulnerable 5.6 and 5.6_x86
DAMAGE: This vulnerability may allow local users, as well as remote
users to gain root privileges.
SOLUTION: It is recommended that affected sites take the steps outlined
in section 3 as soon as possible.
______________________________________________________________________________
VULNERABILITY Exploit information involving this vulnerability has been made
ASSESSMENT: publicly available.
______________________________________________________________________________
[ Appended on May 6, 1998 with additional patch information from Digital ]
[ Start AUSCERT Advisory ]
===========================================================================
AA-97.29 AUSCERT Advisory
statd Buffer Overrun Vulnerability
5 December 1997
Last Revised: --
- ----------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the
statd(1M) program, available on a variety of Unix platforms.
This vulnerability may allow local users, as well as remote users to gain
root privileges.
Exploit information involving this vulnerability has been made publicly
available.
This vulnerability is different to the statd vulnerability described
in CERT/CC advisory CA-96.09.
The vulnerability in statd affects various vendor versions of statd.
AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
This advisory will be updated as more information becomes available.
- ----------------------------------------------------------------------------
1. Description
AUSCERT has received information concerning a vulnerability in some
vendor versions of the RPC server, statd(1M).
statd provides network status monitoring. It interacts with lockd to
provide crash and recovery functions for the locking services on NFS.
Due to insufficient bounds checking on input arguments which may be
supplied by local users, as well as remote users, it is possible to
overwrite the internal stack space of the statd program while it is
executing a specific rpc routine. By supplying a carefully designed
input argument to the statd program, intruders may be able to force
statd to execute arbitrary commands as the user running statd. In most
instances, this will be root.
This vulnerability may be exploited by local users. It can also be
exploited remotely without the intruder requiring a valid local account
if statd is accessible via the network.
Sites can check whether they are running statd by:
On system V like systems:
# ps -fe |grep statd
root 973 1 0 14:41:46 ? 0:00 /usr/lib/nfs/statd
On BSD like systems:
# ps -auxw |grep statd
root 156 0.0 0.0 52 0 ? IW May 3 0:00 rpc.statd
Specific vendor information regarding this vulnerability can be found
in Section 3.
2. Impact
This vulnerability permits attackers to gain root privileges. It can
be exploited by local users. It can also be exploited remotely without
the intruder requiring a valid local account if statd is accessible
via the network.
3. Workarounds/Solution
The statd program is available on many different systems. As vendor
patches are made available sites are encouraged to install them
immediately (Section 3.1).
If you are not using NFS in your environment then there is no need
for the statd program to be running and it can be disabled (Section
3.2).
3.1 Vendor information
The following vendors have provided information concerning the
vulnerability in statd.
BSDI
Digital Equipment Corporation
Hewlett Packard
IBM Corporation
The NetBSD Project
Red Hat Software
Sun Microsystems
Specific vendor information has been placed in Appendix A.
If the statd program is required at your site and your vendor is not
listed, you should contact your vendor directly.
If you do not require the statd program then it should be disabled
(Section 3.2).
3.2 Disabling statd
The statd daemon is required as part of an NFS environment. If you
are not using NFS there is no need for this program and it can be
disabled. The statd (or rpc.statd) program is often started in the
system initialisation scripts (such as /etc/rc* or /etc/rc*.d/*).
If you do not require statd it should be commented out from the
initialisation scripts. In addition, any currently running statd
should be identified using ps(1) and then terminated using kill(1).
__________________________________________________________________________
Appendix A Vendor information
The following information regarding this vulnerability for specific vendor
versions of statd has been made available to AUSCERT. For additional
information, sites should contact their vendors directly.
BSDI
====
No versions of BSD/OS are vulnerable to this problem.
Digital Equipment Corporation
=============================
DIGITAL UNIX V4.0 thru V4.0c
At the time of writing this document, patches (binary kits) are in progress
and final testing has been completed. Distribution of the fix for this
problem is expected to begin soon. Digital will provide notice of the
completion/availability of the patches through AES services (WEB, DIA,
DSNlink) and be available from your normal Digital Support channel.
DIGITAL EQUIPMENT CORPORATION 12/97
Hewlett Packard
===============
This problem is in the investigation process.
IBM Corporation
===============
AIX 3.2 and 4.1 are vulnerable to the statd buffer overflow. However,
the buffer overflow described in this advisory was fixed when the APARs
for CERT CA-96.09 was released. See the appropriate release below to
determine your action.
AIX 3.2
-------
Apply the following fix to your system:
APAR - IX56056 (PTF - U441411)
To determine if you have this PTF on your system, run the following
command:
lslpp -lB U441411
AIX 4.1
-------
Apply the following fix to your system:
APAR - IX55931
To determine if you have this PTF on your system, run the following
command:
instfix -ik IX55931
Or run the following command:
lslpp -h bos.net.nfs.client
Your version of bos.net.nfs.client should be 4.1.4.7 or later.
AIX 4.2
-------
No APAR required. Fix already contained in the release.
APARs may be ordered using Electronic Fix Distribution (via
FixDist) or from the IBM Support Center. For more information on
FixDist, reference URL:
http://service.software.ibm.com/aixsupport/
or send e-mail to aixserv@austin.ibm.com with a subject of
"FixDist".
IBM and AIX are registered trademarks of International Business
Machines Corporation.
The NetBSD project
==================
NetBSD is not vulnerable to the statd buffer overflow. It does not ship
with NFS locking programs (statd/lockd).
Red Hat Linux
=============
Red Hat Linux is not vulnerable to the statd buffer overflow. No versions
of Red Hat Linux include statd in any form.
Sun Microsystems
================
The statd vulnerability has been fixed by the following patches:
SunOS version Patch Id
------------- --------
5.5.1 104166-02
5.5.1_x86 104167-02
5.5 103468-03
5.5_x86 103469-03
5.4 102769-04
5.4_x86 102770-04
4.1.4 102516-06
4.1.3_U1 101592-09
SunOS 5.6 and 5.6_x86 are not vulnerable to this problem.
The vulnerability described in this advisory is not the same as that
described in Sun Security Bulletin #135.
Sun recommended and security patches (including checksums) are available
from:
http://sunsolve.sun.com/sunsolve/pubpatches/patches.html
AUSCERT maintains a local mirror of Sun recommended and security
patches at:
ftp://ftp.auscert.org.au/pub/mirrors/sunsolve1.sun.com/
- ----------------------------------------------------------------------------
AUSCERT thanks Peter Marelas (The Fulcrum Consulting Group), Tim MacKenzie
(The Fulcrum Consulting Group) and CERT/CC for their assistance in the
preparation of this advisory.
- ----------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Facsimile: (07) 3365 7031
Postal:
Australian Computer Emergency Response Team
Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[ End AUSCERT Advisory ]
[ Append Digital Advisory ]
______________________________________________________________
UPDATE: APR 30, 1998
TITLE: DIGITAL UNIX rpc.statd V3.2g, V4.0, V4.0a, V4.0b,
V4.0c, V4.0d
- Potential Security Vulnerability
Ref: SSRT0456U
SOURCE: Digital Equipment Corporation
Software Security Response Team
"Digital is broadly distributing this Security Advisory in order
to bring to the attention of users of Digital's products the
important security information contained in this Advisory.
Digital recommends that all users determine the applicability of
this information to their individual situations and take
appropriate action.
Digital does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently,
Digital will not be responsible for any damages resulting from
user's use or disregard of the information provided in this
Advisory."
----------------------------------------------------------------------
IMPACT:
Digital has discovered a potential vulnerability with the
rpc for DIGITAL UNIX software, where under certain
circumstances, an user may gain unauthorized privileges.
Digital strongly recommends upgrading to a minimum of
Digital UNIX V4.0b accordingly, and that the appropriate
patch kit be installed immediately.
----------------------------------------------------------------------
RESOLUTION:
This potential security problem has been resolved and an official
patch for this problem has been made available as an early release
kit for DIGITAL UNIX V4.0a (duv40ass0000600039900-19980317.*)
and, included in the latest DIGITAL UNIX V4.0b and V4.0d
aggregate DUPATCH Kit.
The V3.2g aggregate BL 10 patch kit #5
is scheduled for release in late June 1998.
The V4.0 aggregate BL 9 patch kit #6
is scheduled for release mid May 1998.
The V4.0c aggregate BL10 patch kit #6
is scheduled for release mid May 1998.
o the World Wide Web at the following FTP address:
http://www.service.digital.com/html/patch_service.html
Use the FTP access option, select DIGITAL_UNIX directory
then choose the appropriate version directory
and download the patch accordingly.
Note: [1]The appropriate patch kit must be installed
following any upgrade to V4.0a, V4.0b or V4.0d.
[2] Please review the appropriate release notes
prior to installation.
If you need further information, please contact your normal DIGITAL
support channel.
DIGITAL appreciates your cooperation and patience. We regret any
inconvenience applying this information may cause.
As always, Digital urges you to periodically review your system
management and security procedures.
Digital will continue to review and enhance the security
features of its products and work with customers to maintain and
improve the security and integrity of their systems.
__________________________________________________________________
Copyright (c) Digital Equipment Corporation, 1998 All
Rights Reserved.
Unpublished Rights Reserved Under The Copyright Laws Of
The United States.
__________________________________________________________________
[ End Digital Advisory ]
______________________________________________________________________________
CIAC wishes to acknowledge the contributions of AUSCERT for the
information contained in this bulletin.
______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 510-422-8193
FAX: +1 510-423-8002
STU-III: +1 510-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://ciac.llnl.gov/
Anonymous FTP: ciac.llnl.gov (198.128.39.53)
Modem access: +1 (510) 423-4753 (28.8K baud)
+1 (510) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.
Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:
E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
subscribe list-name
e.g., subscribe ciac-bulletin
You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email. This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.
If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
I-007: SunOS Solaris Vulnerabilies (nis_cachemgr, ftpd/rlogind, sysdef)
I-008: Open Group OSF/DCE Denial-of-Service Vulnerability
i-009: IBM AIX libDtSvc.a Buffer Overflow Vulnerability
I-010: HP-UX CDE Vulnerability
I-011: IBM AIX portmir command Vulnerability
I-012: IBM AIX ftp client Vulnerability
I-013: Count.cgi Buffer Overrun Vulnerabiliity
I-014: Vulnerability in GlimpseHTTP and WebGlimpse cgi-bin Packages
I-015: SGI IRIX Vulnerabilities (syserr and permissions programs)
I-016: SCO /usr/bin/X11/scoterm Vulnerability
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBNIiYaLnzJzdsy3QZAQHUogP9HxmKzDPzybKmTmg7e1s+/ETLCuegWGcH
sq9ys2CMNArKQuw65e2P9xRQplyOpdfc7JFODFXdHy716F2qu1FDm/xLH9JJu3WK
90I5GwikwUya/q11qwacyRIWDgGQUIx/7I2ippE1JbQB12v1sJHKXdDxnGYGf0Mg
ls2F6d49FB8=
=WsWm
-----END PGP SIGNATURE-----
Site design & layout copyright © 1986-2025 AOH