__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Calendar Manager Service Buffer Overflow Vulnerability
July 16, 1999 17:00 GMT Number J-051
Last updated September 23, 1999 17:00 GMT
______________________________________________________________________________
PROBLEM: A buffer overflow vulnerability has been discovered in the
Calendar Manager Service daemon, rpc.cmsd.
PLATFORM: HP-9000 Series 700/800 HP-UX releases 10.2x, 10.30, 11.00.
SCO UnixWare 7 is potentially vulnerable.
Sun Microsystems:
SunOS 5.7, 5.7_x86, 5.6, 5.6_x86, 5.5.1, 5.5.1_x86,
5.5, 5.5_x86, 5.4, 5.4_x86, 5.3, 4.1.4, and 4.1.3_U1.
CDE 1.3, 1.3_86, 1.2, 1.2_86, 1.0.2, 1.0.1.
Tru64 UNIX V4.0D, V4.0E and V4.0F.
DAMAGE: If exploited, an attacker may gain root access.
SOLUTION: Disable the rpc.cmsd daemon or apply available patches.
______________________________________________________________________________
VULNERABILITY Risk is high. This vulnerability is being actively exploited.
ASSESSMENT: Patch your systems as soon as possible.
______________________________________________________________________________
[ Update on Sept. 23, 1999 with additional patch information from Hewlett-
Packard. ]
[ Update on August 26, 1999 with additional patch information from Sun
Microsystems. ]
[ Update on August 19, 1999 with additional patch information from Compaq
Computer Corporation. ]
[ Start CERT Advisory ]
CERT Advisory CA-99-08-cmsd
Originally released: July 16, 1999
Source: CERT/CC
Systems Affected
* Systems running the Calendar Manager Service daemon, often named
rpc.cmsd
I. Description
A buffer overflow vulnerability has been discovered in the Calendar
Manager Service daemon, rpc.cmsd. The rpc.cmsd daemon is frequently
distributed with the Common Desktop Environment (CDE) and Open
Windows.
II. Impact
Remote and local users can execute arbitrary code with the privileges
of the rpc.cmsd daemon, typically root. Under some configurations
rpc.cmsd runs with an effective userid of daemon, while retaining root
privileges.
This vulnerability is being exploited in a significant number of
incidents reported to the CERT/CC. An exploit script was posted to
BUGTRAQ.
III. Solution
Install a patch from your vendor
Appendix A contains information provided by vendors for this advisory.
We will update the appendix as we receive more information. If you do
not see your vendor's name, the CERT/CC did not hear from that vendor.
Please contact your vendor directly.
We will update this advisory as more information becomes available.
Please check the CERT/CC Web site for the most current revision.
Disable the rpc.cmsd daemon
If you are unable to apply patches to correct this vulnerability, you
may wish to disable the rpc.cmsd daemon. If you disable rpc.cmsd, it
may affect your ability to manage calendars.
Appendix A: Vendor Information
Hewlett-Packard Company
HP is vulnerable, patches in process.
IBM Corporation
AIX is not vulnerable to the rpc.cmsd remote buffer overflow.
IBM and AIX are registered trademarks of International Business
Machines Corporation.
Santa Cruz Operation, Inc.
SCO is investigating this problem. The following SCO product contains
CDE and is potentially vulnerable:
+ SCO UnixWare 7
The following SCO products do not contain CDE, and are
therefore believed not to be vulnerable:
+ SCO UnixWare 2.1
+ SCO OpenServer 5
+ SCO Open Server 3.0
+ SCO CMW+
SCO will provide further information and patches if necessary
as soon as possible at http://www.sco.com/security.
Silicon Graphics, Inc.
IRIX does not have dtcm or rpc.cmsd and therefore is NOT vulnerable.
UNICOS does not have dtcm or rpc.cmsd and therefore is NOT
vulnerable.
Sun Microsystems, Inc.
The following patches are available:
OpenWindows:
SunOS version Patch ID
_____________ _________
SunOS 5.5.1 104976-04
SunOS 5.5.1_x86 105124-03
SunOS 5.5 103251-09
SunOS 5.5_x86 103273-07
SunOS 5.3 101513-14
SunOS 4.1.4 100523-25
SunOS 4.1.3_U1 100523-25
CDE:
CDE version Patch ID
___________ ________
1.3 107022-03
1.3_x86 107023-03
1.2 105566-07
1.2_x86 105567-08
Patches for SunOS 5.4 and CDE 1.0.2 and 1.0.1 will be available
within a week of the release of this advisory.
Sun security patches are available at:
http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-li
cense&nav=pubpatches
______________________________________________________________________________
The CERT Coordination Center would like to thank Chok Poh of Sun
Microsystems, David Brumley of Stanford University, and Elias Levy of
Security Focus for their assistance in preparing this advisory.
______________________________________________________________________________
[ End CERT Advisory ]
[ Start Compaq Update ]
UPDATE: AUG. 11, 1999
TITLE: Potential Security Problem when using rpc.cmsd
(calendar manager). x-ref: CERT Advisory CA-99-08
SOURCE: Compaq Computer Corporation
Software Security Response Team
"Compaq is broadly distributing this Security Advisory in order
to bring to the attention of users of Compaq products the
important security information contained in this Advisory.
Compaq recommends that all users determine the applicability of
this information to their individual situations and take
appropriate action.
Compaq does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently,
Compaq will not be responsible for any damages resulting from
user's use or disregard of the information provided in this
Advisory."
- -----------------------------------------------------------------------
IMPACT:
This fix was implemented in response to the recent posting of
the CERT CA-99-08-cmsd advisory.
- -----------------------------------------------------------------------
RESOLUTION:
This potential security problem has been resolved and a
patch for this problem has been made available for
Tru64 UNIX V4.0D, V4.0E and V4.0F.
This patch can be installed on:
V4.0D Patch kit BL11 or BL12.
V4.0E Patch kit BL1 or BL12.
V4.0F Patch kit BL1.
*This solution will be included in a future distributed release of
Compaq's DIGITAL UNIX.
This patch may be obtained from the World Wide Web at the
following FTP address:
http://www.service.digital.com/patches
Patch file name: SSRT0614U_rpc_cmsd.tar.Z
Use the FTP access option, select DIGITAL_UNIX directory
then choose the appropriate version directory and
download the patch accordingly.
NOTE: There is a README file included with this patch, which
contains installation instructions.
Additional Considerations:
If you need further information, please contact your normal
Compaq Services support channel.
Compaq appreciates your cooperation and patience. We regret any
inconvenience applying this information may cause.
As always, Compaq urges you to periodically review your system
management and security procedures.
Compaq will continue to review and enhance the security
features of its products and work with customers to maintain and
improve the security and integrity of their systems.
____________________________________________________________
Copyright (c) Compaq Computer Corporation, 1999 All
Rights Reserved.
Unpublished Rights Reserved Under The Copyright Laws Of
The United States.
___________________________________________________________
[ End Compaq Update ]
[ Start Sun Microsystems Update ]
______________________________________________________________________________
Sun Microsystems, Inc. Security Bulletin
Bulletin Number: #00188
Date: August 25, 1999
Cross-Ref: CERT CA-99-08
Title: rpc.cmsd
______________________________________________________________________________
The information contained in this Security Bulletin is provided "AS IS."
Sun makes no warranties of any kind whatsoever with respect to the information
contained in this Security Bulletin. ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR
IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE
HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.
IN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE,
PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL
OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY
ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN
THIS SECURITY BULLETIN, EVEN IF SUN MICROSYSTEMS, INC. HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES.
If any of the above provisions are held to be in violation of applicable law,
void, or unenforceable in any jurisdiction, then such provisions are waived
to the extent necessary for this disclaimer to be otherwise enforceable in
such jurisdiction.
______________________________________________________________________________
1. Bulletin Topics
Sun announces the release of patches for Solaris(tm) 7, 2.6, 2.5.1,
2.5, 2.4, 2.3 (SunOS(tm) 5.7, 5.6, 5.5.1, 5.5, 5.4, 5.3), SunOS 4.1.4,
and 4.1.3_U1, which relate to a vulnerability involving rpc.cmsd.
Sun recommends that you:
Install the OpenWindows patches listed in section 4 immediately on
systems running SunOS 5.5.1, 5.5, 5.4, 5.3, 4.1.4, and 4.1.3_U1.
Install the Common Desktop Environment (CDE) patches listed in
section 4 immediately on systems running SunOS 5.7 and 5.6.
Install the CDE patches listed in section 4 immediately on systems
running SunOS 5.5.1, 5.5, and 5.4 with CDE 1.0.2 or 1.0.1 installed.
2. Who is Affected
Vulnerable: SunOS 5.7, 5.7_x86, 5.6, 5.6_x86, 5.5.1, 5.5.1_x86,
5.5, 5.5_x86, 5.4, 5.4_x86, 5.3,
4.1.4, and 4.1.3_U1.
Not vulnerable: All other supported versions of SunOS.
3. Understanding the Vulnerability
The rpc.cmsd is a small database manager for appointment and
resource-scheduling data. Its primary client is Calendar Manager
in OpenWindows, and Calendar in CDE. A buffer overflow vulnerability
has been discovered which may be exploited to execute arbitrary
instructions and gain root access.
4. List of Patches
The following patches are available in relation to the above problem.
OpenWindows:
SunOS version Patch ID
_____________ _________
SunOS 5.5.1 104976-04
SunOS 5.5.1_x86 105124-03
SunOS 5.5 103251-09
SunOS 5.5_x86 103273-07
SunOS 5.4 102030-10
SunOS 5.4_x86 102031-08
SunOS 5.3 101513-14
SunOS 4.1.4 100523-25
SunOS 4.1.3_U1 100523-25
CDE:
SunOS versions CDE version Patch ID
______________ ___________ ________
5.7 1.3 107022-04
5.7_x86 1.3_x86 107023-04
5.6 1.2 105566-07
5.6_x86 1.2_x86 105567-08
5.5.1, 5.5, 5.4 1.0.2 103670-07
5.5.1_x86, 5.5_x86, 5.4_x86 1.0.2_x86 103717-08
5.5, 5.4 1.0.1 103671-07
5.5_x86, 5.4_x86 1.0.1_x86 103718-08
______________________________________________________________________________
APPENDICES
A. Patches listed in this bulletin are available to all Sun customers at:
http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-
license&nav=pub-patches
B. Checksums for the patches listed in this bulletin are available at:
ftp://sunsolve.sun.com/pub/patches/CHECKSUMS
C. Sun security bulletins are available at:
http://sunsolve.sun.com/pub-cgi/secBulletin.pl
D. Sun Security Coordination Team's PGP key is available at:
http://sunsolve.sun.com/pgpkey.txt
E. To report or inquire about a security problem with Sun software, contact
one or more of the following:
- Your local Sun Solution Center
- Your representative computer security response team, such as CERT
- Sun Security Coordination Team. Send email to:
security-alert@sun.com
F. To receive information or subscribe to our CWS (Customer Warning System)
mailing list, send email to:
security-alert@sun.com
with a subject line (not body) containing one of the following commands:
Command Information Returned/Action Taken
_______ _________________________________
help An explanation of how to get information
key Sun Security Coordination Team's PGP key
list A list of current security topics
query [topic] The email is treated as an inquiry and is forwarded to
the Security Coordination Team
report [topic] The email is treated as a security report and is
forwarded to the Security Coordination Team. Please
encrypt sensitive mail using Sun Security Coordination
Team's PGP key
send topic A short status summary or bulletin. For example, to
retrieve a Security Bulletin #00138, supply the
following in the subject line (not body):
send #138
subscribe Sender is added to our mailing list. To subscribe,
supply the following in the subject line (not body):
subscribe cws your-email-address
Note that your-email-address should be substituted
by your email address.
unsubscribe Sender is removed from the CWS mailing list.
______________________________________________________________________________
Copyright 1999 Sun Microsystems, Inc. All rights reserved. Sun,
Sun Microsystems, Solaris and SunOS are trademarks or registered trademarks
of Sun Microsystems, Inc. in the United States and other countries. This
Security Bulletin may be reproduced and distributed, provided that this
Security Bulletin is not modified in any way and is attributed to
Sun Microsystems, Inc. and provided that such reproduction and distribution
is performed for non-commercial purposes.
[ End Sun Microsystems Update ]
[ Start Hewlett-Packard Bulletin ]
Digest Name: Daily Security Bulletins Digest
Created: Thu Sep 9 3:00:02 PDT 1999
Table of Contents:
Document ID Title
--------------- -----------
HPSBUX9908-102 Security Vulnerability in rpc.cmsd
The documents are listed below.
-------------------------------------------------------------------------------
Document ID: HPSBUX9908-102
Date Loaded: 19990908
Title: Security Vulnerability in rpc.cmsd
-------------------------------------------------------------------------
**REVISED 01** HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00102, 30 Aug 1999
Last Revised: 08 Sept 1999
-------------------------------------------------------------------------
The information in the following Security Bulletin should be acted upon
as soon as possible. Hewlett-Packard Company will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.
-------------------------------------------------------------------------
PROBLEM: Buffer overflow vulnerability in the CDE Calendar Manager
Service Daemon, rpc.cmsd.
PLATFORM: HP-9000 Series 700/800 HP-UX releases 10.2X, 10.30, 11.00.
DAMAGE: Allows remote and local users to execute arbitrary code with
root privileges.
SOLUTION: **REVISED 01**
Install the applicable patch.
AVAILABILITY: The patches are available now.
CHANGE SUMMARY: This revision affects only HP-UX 10.24 (VVOS).
-------------------------------------------------------------------------
I.
A. Background
This problem has been reported in CERT Advisory CA-99-08.
B. Fixing the problem - Install the applicable patch:
For HP-UX release 10.20 PHSS_19482;
------>>>> For HP-UX release 10.24 PHSS_19702;
For HP-UX release 11.00 PHSS_19483.
There are significant patch dependencies for these patches.
Note: HP-UX release 10.30 was a development release prior to
the availability of HP-UX release 11.00. HP-UX release
10.30 will not be patched.
C. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP Electronic Support Center via electronic
mail, do the following:
Use your browser to get to the HP Electronic Support Center page
at:
http://us-support.external.hp.com
(for US, Canada, Asia-Pacific, & Latin-America)
http://europe-support.external.hp.com (for Europe)
Login with your user ID and password (or register for one).
Remember to save the User ID assigned to you, and your password.
Once you are in the Main Menu:
To -subscribe- to future HP Security Bulletins,
click on "Support Information Digests".
To -review- bulletins already released from the main Menu,
click on the "Search Technical Knowledge Database."
Near the bottom of the next page, click on "Browse the HP
Security Bulletin Archive".
Once in the archive there is another link to our current Security
Patch Matrix. Updated daily, this matrix categorizes security
patches by platform/OS release, and by bulletin topic.
The security patch matrix is also available via anonymous ftp:
us-ffs.external.hp.com
~ftp/export/patches/hp-ux_patch_matrix
D. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the security-alert
PGP key, available from your local key server, or by sending a
message with a -subject- (not body) of 'get key' (no quotes) to
security-alert@hp.com.
Permission is granted for copying and circulating this Bulletin to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the Bulletin
is not edited or changed in any way, is attributed to HP, and
provided such reproduction and/or distribution is performed for
non-commercial purposes.
Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.
________________________________________________________________________
-----End of Document ID: HPSBUX9908-102--------------------------------------
[ End Hewlett-Packard Bulletin ]
______________________________________________________________________________
CIAC wishes to acknowledge CERT, Compaq Computer Corp., Sun Microsystems,
and Hewlett-Packard for the information contained in this bulletin.
______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), use one of the following methods to contact CIAC:
1. Call the CIAC voice number 925-422-8193 and leave a message, or
2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or
3. Send e-mail to 4498369@skytel.com, or
4. Call 800-201-9288 for the CIAC Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
(or http://ciac.llnl.gov -- they're the same machine)
Anonymous FTP: ftp.ciac.org
(or ciac.llnl.gov -- they're the same machine)
Modem access: +1 (925) 423-4753 (28.8K baud)
+1 (925) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.
Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:
E-mail to ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov:
subscribe list-name
e.g., subscribe ciac-bulletin
You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email. This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.
If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
J-041: Cisco IOS(R) Software Input Access List Leakage with NAT
J-042: Web Security
J-043: Creating/Installing Warning Banners
J-044: Tru64/Digital UNIX (dtlogin) Security Vulnerability
J-045: Vulnerability in statd exposes vulnerability in automountd
J-046: HP-UX VVOS NES Vulnerability
J-047: The ExploreZip Worm
J-048: Malformed HTR Request Vulnerability
J-049: Windows NT, Two Denial-of-Service Vulnerabilities
J-050: HP-UX Visualize Conference Vulnerability
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBN8w9FLnzJzdsy3QZAQHwAwP+JviOcEmphlGHvI4HqglPLAqrs0kqYTcv
lt+xdraCda+ewrmsfZVzwfsjF1d14RenwuX4ofLfC8Cvts/UVISDATLIl+KfFF70
/JHvoupfsNQ9d0/MK22Sosi+125uUZGMN+OsqKunVCcWzlKyZLIzYIb9mvNxaigf
JChbWbBJvYk=
=RAwW
-----END PGP SIGNATURE-----
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
