Bob! > The calendar manager (rpc.cmsd) on Solaris 2.5 and 2.5.1 is vulnerable > to a buffer overflow > attack... > ... we have seen the > intruder delete administrator > logs, change homepages, and insert backdoors. The attack signature is > similar to the tooltalk attack. Can you confirm that compromised system(s) were equipped with CDE? Or in other words was it /usr/dt/bin/rpc.cmsd that was assigned to do the job in /etc/inetd.conf? > Further, it appears that even patched versions may be > vulnerable. Could you be more specific here and tell exactly which patches are you talking about? > Also, rpc.cmsd under > Solaris 2.6 could also be problematic. I want to point out that there is a rather fresh 105566-07 for Solaris 2.6 which claims "4230754 Possible buffer overflows in rpc.cmsd" fixed. There is rather old 103670-03 for Solaris 2.5[.1] which claims "1264389 rpc.cmsd security problem." fixed. Then there is 104976-03 claiming "1265008 : Solaris 2.x rpc.cmsd vulnerabity" fixed. Are these the ones you refer to as "patched versions" and "could be problematic"? Andy.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:51:53 PDT