-----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN statd Buffer Overrun Vulnerability May 6, 1998 22:00 GMT Number I-017a ______________________________________________________________________________ PROBLEM: Information has been received concerning a vulnerability in the statd(1M) program. PLATFORM: Various Unix platforms: BSDI Not Vulnerable Digital Equip. Corp. UNIX V3.2g thru V4.0d Hewlett Packard unknown at this time IBM Corporation AIX 3.2 and 4.1 The NetBSD Project Not Vulnerable Red Hat Software Not Vulnerable Sun Microsystems 5.5.1, 5.5.1_x86, 5.5, 5.5_x86, 5.4 5.4._x86, 4.1.4, and 4.1.3_U1. Sun Microsystems Not Vulnerable 5.6 and 5.6_x86 DAMAGE: This vulnerability may allow local users, as well as remote users to gain root privileges. SOLUTION: It is recommended that affected sites take the steps outlined in section 3 as soon as possible. ______________________________________________________________________________ VULNERABILITY Exploit information involving this vulnerability has been made ASSESSMENT: publicly available. ______________________________________________________________________________ [ Appended on May 6, 1998 with additional patch information from Digital ] [ Start AUSCERT Advisory ] =========================================================================== AA-97.29 AUSCERT Advisory statd Buffer Overrun Vulnerability 5 December 1997 Last Revised: -- - ---------------------------------------------------------------------------- AUSCERT has received information that a vulnerability exists in the statd(1M) program, available on a variety of Unix platforms. This vulnerability may allow local users, as well as remote users to gain root privileges. Exploit information involving this vulnerability has been made publicly available. This vulnerability is different to the statd vulnerability described in CERT/CC advisory CA-96.09. The vulnerability in statd affects various vendor versions of statd. AUSCERT recommends that sites take the steps outlined in section 3 as soon as possible. This advisory will be updated as more information becomes available. - ---------------------------------------------------------------------------- 1. Description AUSCERT has received information concerning a vulnerability in some vendor versions of the RPC server, statd(1M). statd provides network status monitoring. It interacts with lockd to provide crash and recovery functions for the locking services on NFS. Due to insufficient bounds checking on input arguments which may be supplied by local users, as well as remote users, it is possible to overwrite the internal stack space of the statd program while it is executing a specific rpc routine. By supplying a carefully designed input argument to the statd program, intruders may be able to force statd to execute arbitrary commands as the user running statd. In most instances, this will be root. This vulnerability may be exploited by local users. It can also be exploited remotely without the intruder requiring a valid local account if statd is accessible via the network. Sites can check whether they are running statd by: On system V like systems: # ps -fe |grep statd root 973 1 0 14:41:46 ? 0:00 /usr/lib/nfs/statd On BSD like systems: # ps -auxw |grep statd root 156 0.0 0.0 52 0 ? IW May 3 0:00 rpc.statd Specific vendor information regarding this vulnerability can be found in Section 3. 2. Impact This vulnerability permits attackers to gain root privileges. It can be exploited by local users. It can also be exploited remotely without the intruder requiring a valid local account if statd is accessible via the network. 3. Workarounds/Solution The statd program is available on many different systems. As vendor patches are made available sites are encouraged to install them immediately (Section 3.1). If you are not using NFS in your environment then there is no need for the statd program to be running and it can be disabled (Section 3.2). 3.1 Vendor information The following vendors have provided information concerning the vulnerability in statd. BSDI Digital Equipment Corporation Hewlett Packard IBM Corporation The NetBSD Project Red Hat Software Sun Microsystems Specific vendor information has been placed in Appendix A. If the statd program is required at your site and your vendor is not listed, you should contact your vendor directly. If you do not require the statd program then it should be disabled (Section 3.2). 3.2 Disabling statd The statd daemon is required as part of an NFS environment. If you are not using NFS there is no need for this program and it can be disabled. The statd (or rpc.statd) program is often started in the system initialisation scripts (such as /etc/rc* or /etc/rc*.d/*). If you do not require statd it should be commented out from the initialisation scripts. In addition, any currently running statd should be identified using ps(1) and then terminated using kill(1). __________________________________________________________________________ Appendix A Vendor information The following information regarding this vulnerability for specific vendor versions of statd has been made available to AUSCERT. For additional information, sites should contact their vendors directly. BSDI ==== No versions of BSD/OS are vulnerable to this problem. Digital Equipment Corporation ============================= DIGITAL UNIX V4.0 thru V4.0c At the time of writing this document, patches (binary kits) are in progress and final testing has been completed. Distribution of the fix for this problem is expected to begin soon. Digital will provide notice of the completion/availability of the patches through AES services (WEB, DIA, DSNlink) and be available from your normal Digital Support channel. DIGITAL EQUIPMENT CORPORATION 12/97 Hewlett Packard =============== This problem is in the investigation process. IBM Corporation =============== AIX 3.2 and 4.1 are vulnerable to the statd buffer overflow. However, the buffer overflow described in this advisory was fixed when the APARs for CERT CA-96.09 was released. See the appropriate release below to determine your action. AIX 3.2 ------- Apply the following fix to your system: APAR - IX56056 (PTF - U441411) To determine if you have this PTF on your system, run the following command: lslpp -lB U441411 AIX 4.1 ------- Apply the following fix to your system: APAR - IX55931 To determine if you have this PTF on your system, run the following command: instfix -ik IX55931 Or run the following command: lslpp -h bos.net.nfs.client Your version of bos.net.nfs.client should be 4.1.4.7 or later. AIX 4.2 ------- No APAR required. Fix already contained in the release. APARs may be ordered using Electronic Fix Distribution (via FixDist) or from the IBM Support Center. For more information on FixDist, reference URL: http://service.software.ibm.com/aixsupport/ or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist". IBM and AIX are registered trademarks of International Business Machines Corporation. The NetBSD project ================== NetBSD is not vulnerable to the statd buffer overflow. It does not ship with NFS locking programs (statd/lockd). Red Hat Linux ============= Red Hat Linux is not vulnerable to the statd buffer overflow. No versions of Red Hat Linux include statd in any form. Sun Microsystems ================ The statd vulnerability has been fixed by the following patches: SunOS version Patch Id ------------- -------- 5.5.1 104166-02 5.5.1_x86 104167-02 5.5 103468-03 5.5_x86 103469-03 5.4 102769-04 5.4_x86 102770-04 4.1.4 102516-06 4.1.3_U1 101592-09 SunOS 5.6 and 5.6_x86 are not vulnerable to this problem. The vulnerability described in this advisory is not the same as that described in Sun Security Bulletin #135. Sun recommended and security patches (including checksums) are available from: http://sunsolve.sun.com/sunsolve/pubpatches/patches.html AUSCERT maintains a local mirror of Sun recommended and security patches at: ftp://ftp.auscert.org.au/pub/mirrors/sunsolve1.sun.com/ - ---------------------------------------------------------------------------- AUSCERT thanks Peter Marelas (The Fulcrum Consulting Group), Tim MacKenzie (The Fulcrum Consulting Group) and CERT/CC for their assistance in the preparation of this advisory. - ---------------------------------------------------------------------------- The AUSCERT team have made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AUSCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au/. Internet Email: auscert@auscert.org.au Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Facsimile: (07) 3365 7031 Postal: Australian Computer Emergency Response Team Prentice Centre The University of Queensland Brisbane Qld. 4072. AUSTRALIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [ End AUSCERT Advisory ] [ Append Digital Advisory ] ______________________________________________________________ UPDATE: APR 30, 1998 TITLE: DIGITAL UNIX rpc.statd V3.2g, V4.0, V4.0a, V4.0b, V4.0c, V4.0d - Potential Security Vulnerability Ref: SSRT0456U SOURCE: Digital Equipment Corporation Software Security Response Team "Digital is broadly distributing this Security Advisory in order to bring to the attention of users of Digital's products the important security information contained in this Advisory. Digital recommends that all users determine the applicability of this information to their individual situations and take appropriate action. Digital does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, Digital will not be responsible for any damages resulting from user's use or disregard of the information provided in this Advisory." ---------------------------------------------------------------------- IMPACT: Digital has discovered a potential vulnerability with the rpc for DIGITAL UNIX software, where under certain circumstances, an user may gain unauthorized privileges. Digital strongly recommends upgrading to a minimum of Digital UNIX V4.0b accordingly, and that the appropriate patch kit be installed immediately. ---------------------------------------------------------------------- RESOLUTION: This potential security problem has been resolved and an official patch for this problem has been made available as an early release kit for DIGITAL UNIX V4.0a (duv40ass0000600039900-19980317.*) and, included in the latest DIGITAL UNIX V4.0b and V4.0d aggregate DUPATCH Kit. The V3.2g aggregate BL 10 patch kit #5 is scheduled for release in late June 1998. The V4.0 aggregate BL 9 patch kit #6 is scheduled for release mid May 1998. The V4.0c aggregate BL10 patch kit #6 is scheduled for release mid May 1998. o the World Wide Web at the following FTP address: http://www.service.digital.com/html/patch_service.html Use the FTP access option, select DIGITAL_UNIX directory then choose the appropriate version directory and download the patch accordingly. Note: [1]The appropriate patch kit must be installed following any upgrade to V4.0a, V4.0b or V4.0d. [2] Please review the appropriate release notes prior to installation. If you need further information, please contact your normal DIGITAL support channel. DIGITAL appreciates your cooperation and patience. We regret any inconvenience applying this information may cause. As always, Digital urges you to periodically review your system management and security procedures. Digital will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. __________________________________________________________________ Copyright (c) Digital Equipment Corporation, 1998 All Rights Reserved. Unpublished Rights Reserved Under The Copyright Laws Of The United States. __________________________________________________________________ [ End Digital Advisory ] ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of AUSCERT for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 510-422-8193 FAX: +1 510-423-8002 STU-III: +1 510-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://ciac.llnl.gov/ Anonymous FTP: ciac.llnl.gov (198.128.39.53) Modem access: +1 (510) 423-4753 (28.8K baud) +1 (510) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 3. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov: subscribe list-name e.g., subscribe ciac-bulletin You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) I-007: SunOS Solaris Vulnerabilies (nis_cachemgr, ftpd/rlogind, sysdef) I-008: Open Group OSF/DCE Denial-of-Service Vulnerability i-009: IBM AIX libDtSvc.a Buffer Overflow Vulnerability I-010: HP-UX CDE Vulnerability I-011: IBM AIX portmir command Vulnerability I-012: IBM AIX ftp client Vulnerability I-013: Count.cgi Buffer Overrun Vulnerabiliity I-014: Vulnerability in GlimpseHTTP and WebGlimpse cgi-bin Packages I-015: SGI IRIX Vulnerabilities (syserr and permissions programs) I-016: SCO /usr/bin/X11/scoterm Vulnerability -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBNIiYaLnzJzdsy3QZAQHUogP9HxmKzDPzybKmTmg7e1s+/ETLCuegWGcH sq9ys2CMNArKQuw65e2P9xRQplyOpdfc7JFODFXdHy716F2qu1FDm/xLH9JJu3WK 90I5GwikwUya/q11qwacyRIWDgGQUIx/7I2ippE1JbQB12v1sJHKXdDxnGYGf0Mg ls2F6d49FB8= =WsWm -----END PGP SIGNATURE-----