Re: the SunOS 4.1.4 dimension of this problem: Sun tells me that patch 102516-06 and later protect against this issue. (This response was in reaction to Sun Service Order 3993470.) I am not in a position to check the validity of their response. --Scott On Thu, 10 Jun 1999, Mark Zielinski wrote: > This CERT Advisory has failed to mention a few things that I would like to > point out. > > CERT Advisory CA-99.05 reports SunOS 5.6 automountd as not being susceptible > to the rpc.statd bounce attack. This is incorrect. SunOS 5.6 is indeed > vulnerable, it is just harder to exploit because it involves DNS spoofing. > > Solaris 7 is not vulnerable because the RPC services are no longer run as > root and automountd will only accept connections from a uid of zero. This > has nothing to due with Sun incorporating a patch into version 7. > > System Administrators should also consider the following. A system > running SunOS 5.5.1 with a patched automountd (that has not patched rpc.statd) > is STILL vulnerable. This is because the automountd patch for SunOS 5.5.1 > only stops non-root local users from specifying the command to be run for > mounting filesystems. Any system running rpc.statd in this situation as > root (which is default) can still be exploited remotely. > > System administrators should also take note that simply disabling rpcbind > will not stop this problem from being exploited. > > Both SUN Microsystems and CERT fail to mention that earlier versions of > SunOS are also affected. I understand that most systems these days are > not running these versions, however patches and advisories should still be > released for those who are running them. > > SunOS versions 4.1.3 and 4.1.4 are still vulnerable to the rpc.statd > bounce attack with no patches currently released. > > Best regards, > > Mark Zielinski > System Security Engineer > Inficad Communications > > -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: 2.6.2 > > mQCNAzdE6tAAAAEEAMfnIe65PMbIGxZsegpaMME7hSxpJ0HsM0G9hrkR+EXXOLnH > Rn6oFnaR8mKLGW+3LyAVrDE34O87EyaQ8GKqpDlN9n3wLn7Wm5WuCCRJvEHxwCZZ > XgQpQoCMQEZNexal3dwVJNRKAvWDFE+rltplYLM8uGLyDnaXOt6aFnLygXxNAAUR > tA5NYXJrIFppZWxpbnNraQ== > =+Gj/ > -----END PGP PUBLIC KEY BLOCK----- > > On Wed, 9 Jun 1999 aleph1at_private wrote: > > > Date: Wed, 9 Jun 1999 20:05:23 -0700 > > From: aleph1at_private > > Reply-To: cert-advisory-requestat_private > > To: BUGTRAQat_private > > Subject: CERT Advisory CA-99.05 - statd-automountd > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > CERT Advisory CA-99-05 Vulnerability in statd exposes vulnerability in > > automountd > > > > Original issue date: June 9, 1999 > > Source: CERT/CC > > > > Systems Affected > > > > Systems running older versions of rpc.statd and automountd > > > > I. Description > > > > This advisory describes two vulnerabilities that are being used > > together by intruders to gain access to vulnerable systems. The first > > vulnerability is in rpc.statd, a program used to communicate state > > changes among NFS clients and servers. The second vulnerability is in > > automountd, a program used to automatically mount certain types of > > file systems. Both of these vulnerabilities have been widely discussed > > on public forums, such as BugTraq, and some vendors have issued > > security advisories related to the problems discussed here. Because of > > the number of incident reports we have received, however, we are > > releasing this advisory to call attention to these problems so that > > system and network administrators who have not addressed these > > problems do so immediately. > > > > The vulnerability in rpc.statd allows an intruder to call arbitrary > > rpc services with the privileges of the rpc.statd process. The called > > rpc service may be a local service on the same machine or it may be a > > network service on another machine. Although the form of the call is > > constrained by rpc.statd, if the call is acceptable to another rpc > > service, the other rpc service will act on the call as if it were an > > authentic call from the rpc.statd process. > > > > The vulnerability in automountd allows a local intruder to execute > > arbitrary commands with the privileges of the automountd process. This > > vulnerability has been widely known for a significant period of time, > > and patches have been available from vendors, but many systems remain > > vulnerable because their administrators have not yet applied the > > appropriate patches. > > > > By exploiting these two vulnerabilities simultaneously, a remote > > intruder is able to "bounce" rpc calls from the rpc.statd service to > > the automountd service on the same targeted machine. Although on many > > systems the automountd service does not normally accept traffic from > > the network, this combination of vulnerabilities allows a remote > > intruder to execute arbitrary commands with the administrative > > privileges of the automountd service, typically root. > > > > Note that the rpc.statd vulnerability described in this advisory is > > distinct from the vulnerabilities described in CERT Advisories > > CA-96.09 and CA-97.26. > > > > II. Impact > > > > The vulnerability in rpc.statd may allow a remote intruder to call > > arbitrary rpc services with the privileges of the rpc.statd process, > > typically root. The vulnerablility in automountd may allow a local > > intruder to execute arbitrary commands with the privileges of the > > automountd service. > > > > By combining attacks exploiting these two vulnerabilities, a remote > > intruder is able to execute arbitrary commands with the privileges of > > the automountd service. > > > > Note > > > > It may still be possible to cause rpc.statd to call other rpc services > > even after applying patches which reduce the privileges of rpc.statd. > > If there are additional vulnerabilities in other rpc services > > (including services you have written), an intruder may be able to > > exploit those vulnerabilities through rpc.statd. At the present time, > > we are unaware of any such vulnerabilitity that may be exploited > > through this mechanism. > > > > III. Solutions > > > > Install a patch from your vendor > > > > Appendix A contains input from vendors who have provided information > > for this advisory. We will update the appendix as we receive more > > information. If you do not see your vendor's name, the CERT/CC did not > > hear from that vendor. Please contact your vendor directly. > > > > Appendix A: Vendor Information > > > > Caldera > > > > Caldera's currently not shipping statd. > > > > Compaq Computer Corporation > > > > (c) Copyright 1998, 1999 Compaq Computer Corporation. All rights > > reserved. > > SOURCE: Compaq Computer Corporation > > Compaq Services > > Software Security Response Team USA > > This reported problem has not been found to affect the as > > shipped, Compaq's Tru64/UNIX Operating Systems Software. > > - Compaq Computer Corporation > > > > Data General > > > > We are investigating. We will provide an update when our > > investigation is complete. > > > > Hewlett-Packard Company > > > > HP is not vulnerable. > > > > The Santa Cruz Operation, Inc. > > > > No SCO products are vulnerable. > > > > Silicon Graphics, Inc. > > > > % IRIX > > > > % rpc.statd > > IRIX 6.2 and above ARE NOT vulnerable. > > IRIX 5.3 is vulnerable, but no longer supported. > > % automountd > > With patches from SGI Security Advisory > > 19981005-01-PX installed, > > IRIX 6.2 and above ARE NOT vulnerable. > > > > % Unicos > > > > Currently, SGI is investigating and no further information > > is > > available for public release at this time. > > > > As further information becomes available, additional > > advisories > > will be issued via the normal SGI security information > > distribution > > method including the wiretap mailing list. > > SGI Security Headquarters > > http://www.sgi.com/Support/security > > > > Sun Microsystems Inc. > > > > The following patches are available: > > rpc.statd: > > Patch OS Version > > _____ __________ > > 106592-02 SunOS 5.6 > > 106593-02 SunOS 5.6_x86 > > 104166-04 SunOS 5.5.1 > > 104167-04 SunOS 5.5.1_x86 > > 103468-04 SunOS 5.5 > > 103469-05 SunOS 5.5_x86 > > 102769-07 SunOS 5.4 > > 102770-07 SunOS 5.4_x86 > > 102932-05 SunOS 5.3 > > The fix for this vulnerability was integrated in SunOS > > 5.7 (Solaris 7) before it was released. > > automountd: > > 104654-05 SunOS 5.5.1 > > 104655-05 SunOS 5.5.1_x86 > > 103187-43 SunOS 5.5 > > 103188-43 SunOS 5.5_x86 > > 101945-61 SunOS 5.4 > > 101946-54 SunOS 5.4_x86 > > 101318-92 SunOS 5.3 > > SunOS 5.6 (Solaris 2.6) and SunOS 5.7 (Solaris 7) are not > > vulnerable. > > Sun security patches are available at: > > > > http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-li > > cense&nav=pub-patches > > _______________________________________________________________ > > > > Our thanks to Olaf Kirch of Caldera for his assistance in > > helping us understand the problem and Chok Poh of Sun > > Microsystems for his assistance in helping us construct this > > advisory. > > _______________________________________________________________ > > > > This document is available from: > > http://www.cert.org/advisories/CA-99-05-statd-automountd.html. > > _______________________________________________________________ > > > > CERT/CC Contact Information > > > > Email: certat_private > > Phone: +1 412-268-7090 (24-hour hotline) > > Fax: +1 412-268-6989 > > Postal address: > > CERT Coordination Center > > Software Engineering Institute > > Carnegie Mellon University > > Pittsburgh PA 15213-3890 > > U.S.A. > > > > CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / > > EDT(GMT-4) Monday through Friday; they are on call for > > emergencies during other hours, on U.S. holidays, and on > > weekends. > > > > Using encryption > > > > We strongly urge you to encrypt sensitive information sent by > > email. Our public PGP key is available from > > http://www.cert.org/CERT_PGP.key. If you prefer to use DES, > > please call the CERT hotline for more information. > > > > Getting security information > > > > CERT publications and other security information are available > > from our web site http://www.cert.org/. > > > > To be added to our mailing list for advisories and bulletins, > > send email to cert-advisory-requestat_private and include > > SUBSCRIBE your-email-address in the subject of your message. > > > > Copyright 1999 Carnegie Mellon University. > > Conditions for use, disclaimers, and sponsorship information > > can be found in http://www.cert.org/legal_stuff.html. > > > > * "CERT" and "CERT Coordination Center" are registered in the > > U.S. Patent and Trademark Office > > _______________________________________________________________ > > > > NO WARRANTY > > Any material furnished by Carnegie Mellon University and the > > Software Engineering Institute is furnished on an "as is" > > basis. Carnegie Mellon University makes no warranties of any > > kind, either expressed or implied as to any matter including, > > but not limited to, warranty of fitness for a particular > > purpose or merchantability, exclusivity or results obtained > > from use of the material. Carnegie Mellon University does not > > make any warranty of any kind with respect to freedom from > > patent, trademark, or copyright infringement. > > > > -----BEGIN PGP SIGNATURE----- > > Version: 2.6.2 > > > > iQCVAwUBN17H2HVP+x0t4w7BAQHspgP+JHCLMDLqm+n64pito2B5jQijAKkK0yEK > > P3/Lb8ZVgHgzAG9SuuOqBXY9ZxpaxM/gUEE3u4MAyo4ykJi6t3cMQfVDN0h+Ivn4 > > hogmZa+Z4GeocXNvC6KF0KvTA/wgDvA45EXZTJM9tDYNhc93yEJBmUZl7v36WXWM > > nJ+/XDo+EP4= > > =fAiP > > -----END PGP SIGNATURE----- > > >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:49:15 PDT