TUCoPS :: Unix :: General :: ciacj045.txt

Statd Exposes Vulnerability in automountd

-----BEGIN PGP SIGNED MESSAGE-----

             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

             Vulnerability in statd exposes vulnerability in automountd

June 10, 1999 21:00 GMT                                          Number J-045
______________________________________________________________________________

PROBLEM:       Two vulnerabilities are address in this advisory:
               1) rpc.statd, a program used to communicate state changes among
                  NFS clients and servers.
               2) automountd, a program used to automatically mount certain
                  types of file systems.
               By exploiting these two vulnerabilities simultaneously, a
               Remote intruder is able to "bounce" rpc calls from the
               rpc.statd service to the automountd service on the same
               targeted machine.
PLATFORM:      SGI IRIX 5.3 is vulnerable to rpc.statd but no longer
                 supported.  Unpatched IRIX 6.2 and above are vulnerable
                 to automountd.
               SunOS 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5, 5.5_x86,
                 5.4, 5.4_x86, and 5.3.
DAMAGE:        This combination of vulnerabilities allows a remote
               intruder to execute arbitrary commands with the administrative
               privileges of the automountd service, typically root.
SOLUTION:      Apply the vendor-supplied patch.
______________________________________________________________________________
VULNERABILITY  Risk is high due to these vulnerabilities having been widely
ASSESSMENT:    discussed on public forums such as BugTraq.
______________________________________________________________________________

[  Start CERT Advisory  ]

CERT Advisory CA-99-05 Vulnerability in statd exposes vulnerability in
      automountd

   Original issue date: June 9, 1999
   Source: CERT/CC

Systems Affected

   Systems running older versions of rpc.statd and automountd

I. Description

   This advisory describes two vulnerabilities that are being used
   together by intruders to gain access to vulnerable systems. The first
   vulnerability is in rpc.statd, a program used to communicate state
   changes among NFS clients and servers. The second vulnerability is in
   automountd, a program used to automatically mount certain types of
   file systems. Both of these vulnerabilities have been widely discussed
   on public forums, such as BugTraq, and some vendors have issued
   security advisories related to the problems discussed here. Because of
   the number of incident reports we have received, however, we are
   releasing this advisory to call attention to these problems so that
   system and network administrators who have not addressed these
   problems do so immediately.

   The vulnerability in rpc.statd allows an intruder to call arbitrary
   rpc services with the privileges of the rpc.statd process. The called
   rpc service may be a local service on the same machine or it may be a
   network service on another machine. Although the form of the call is
   constrained by rpc.statd, if the call is acceptable to another rpc
   service, the other rpc service will act on the call as if it were an
   authentic call from the rpc.statd process.

   The vulnerability in automountd allows a local intruder to execute
   arbitrary commands with the privileges of the automountd process. This
   vulnerability has been widely known for a significant period of time,
   and patches have been available from vendors, but many systems remain
   vulnerable because their administrators have not yet applied the
   appropriate patches.

   By exploiting these two vulnerabilities simultaneously, a remote
   intruder is able to "bounce" rpc calls from the rpc.statd service to
   the automountd service on the same targeted machine. Although on many
   systems the automountd service does not normally accept traffic from
   the network, this combination of vulnerabilities allows a remote
   intruder to execute arbitrary commands with the administrative
   privileges of the automountd service, typically root.

   Note that the rpc.statd vulnerability described in this advisory is
   distinct from the vulnerabilities described in CERT Advisories
   CA-96.09 and CA-97.26.

II. Impact

   The vulnerability in rpc.statd may allow a remote intruder to call
   arbitrary rpc services with the privileges of the rpc.statd process,
   typically root. The vulnerability in automountd may allow a local
   intruder to execute arbitrary commands with the privileges of the
   automountd service.

   By combining attacks exploiting these two vulnerabilities, a remote
   intruder is able to execute arbitrary commands with the privileges of
   the automountd service.

Note

   It may still be possible to cause rpc.statd to call other rpc services
   even after applying patches which reduce the privileges of rpc.statd.
   If there are additional vulnerabilities in other rpc services
   (including services you have written), an intruder may be able to
   exploit those vulnerabilities through rpc.statd. At the present time,
   we are unaware of any such vulnerabilitity that may be exploited
   through this mechanism.

III. Solutions

   Install a patch from your vendor

   Appendix A contains input from vendors who have provided information
   for this advisory. We will update the appendix as we receive more
   information. If you do not see your vendor's name, the CERT/CC did not
   hear from that vendor. Please contact your vendor directly.

Appendix A: Vendor Information

   Caldera

   Caldera's currently not shipping statd.

   Compaq Computer Corporation

        (c) Copyright 1998, 1999 Compaq Computer Corporation. All rights
                reserved.
                SOURCE: Compaq Computer Corporation
                Compaq Services
                Software Security Response Team USA
                This reported problem has not been found to affect the as
                shipped, Compaq's Tru64/UNIX Operating Systems Software.
                - Compaq Computer Corporation

          Data General

        We are investigating. We will provide an update when our
                investigation is complete.

          Hewlett-Packard Company

        HP is not vulnerable.

          The Santa Cruz Operation, Inc.

        No SCO products are vulnerable.

          Silicon Graphics, Inc.

        % IRIX

              % rpc.statd
                      IRIX 6.2 and above ARE NOT vulnerable.
                      IRIX 5.3 is vulnerable, but no longer supported.
                      % automountd
                      With patches from SGI Security Advisory
                      19981005-01-PX installed,
                      IRIX 6.2 and above ARE NOT vulnerable.

                % Unicos

              Currently, SGI is investigating and no further information
                      is
                      available for public release at this time.

                As further information becomes available, additional
                advisories
                will be issued via the normal SGI security information
                distribution
                method including the wiretap mailing list.
                SGI Security Headquarters
                http://www.sgi.com/Support/security

          Sun Microsystems Inc.

        The following patches are available:
                rpc.statd:
                Patch OS Version
                _____ __________
                106592-02 SunOS 5.6
                106593-02 SunOS 5.6_x86
                104166-04 SunOS 5.5.1
                104167-04 SunOS 5.5.1_x86
                103468-04 SunOS 5.5
                103469-05 SunOS 5.5_x86
                102769-07 SunOS 5.4
                102770-07 SunOS 5.4_x86
                102932-05 SunOS 5.3
                The fix for this vulnerability was integrated in SunOS
                5.7 (Solaris 7) before it was released.
                automountd:
                104654-05 SunOS 5.5.1
                104655-05 SunOS 5.5.1_x86
                103187-43 SunOS 5.5
                103188-43 SunOS 5.5_x86
                101945-61 SunOS 5.4
                101946-54 SunOS 5.4_x86
                101318-92 SunOS 5.3
                SunOS 5.6 (Solaris 2.6) and SunOS 5.7 (Solaris 7) are not
                vulnerable.
                Sun security patches are available at:

          http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-li
          cense&nav=pub-patches
          _______________________________________________________________

          Our thanks to Olaf Kirch of Caldera for his assistance in
          helping us understand the problem and Chok Poh of Sun
          Microsystems for his assistance in helping us construct this
          advisory.
          _______________________________________________________________

          This document is available from:
          http://www.cert.org/advisories/CA-99-05-statd-automountd.html.
          _______________________________________________________________


[  End CERT Advisory  ]

______________________________________________________________________________

CIAC wishes to acknowledge CERT for the information contained in this
bulletin.
______________________________________________________________________________


For additional information or assistance, please contact CIAC:

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), use one of the following methods to contact CIAC:

    1.  Call the CIAC voice number 925-422-8193 and leave a message, or

    2.  Call 888-449-8369 to send a Sky Page to the CIAC duty person or

    3.  Send e-mail to 4498369@skytel.com, or

    4.  Call 800-201-9288 for the CIAC Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov)
   Modem access:        +1 (925) 423-4753 (28.8K baud)
                        +1 (925) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:

E-mail to       ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov:
        subscribe list-name
  e.g., subscribe ciac-bulletin

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email.  This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

J-035: Linux Blind TCP Spoofing
J-036: LDAP Buffer overflow against Microsoft Directory Services
J-037: W97M.Melissa Word Macro Virus
J-038: HP-UX Vulnerabilities (hpterm, ftp)
J-039: HP-UX Vulnerabilities (MC/ServiceGuard & MC/LockManager, DES
J-040: HP-UX Security Vulnerability in sendmail
J-041: Cisco IOS(R) Software Input Access List Leakage with NAT
J-042: Web Security
J-043: (bulletin in process)
J-044: Tru64/Digital UNIX (dtlogin) Security Vulnerability


-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBN2E1qrnzJzdsy3QZAQHcqQQAzStiURTt0eWZTvrLlPeNIVyNyshW4bpP
vz5J1hum0BRYVdSAD07iGfdjooGJrKSGQY7PhvFskOK/ylbrx/tAhkdcvz423Mvw
y7lUN9RlMV3W0nxYTF75+IIr1CM1x6GP6Ahj+G+b8FwNojY0JQWdXj2AbKUrXEC5
Xk8uCoJIehM=
=Vkr8
-----END PGP SIGNATURE-----



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH