I had both a Solaris V2.5.1 (fully patched as of March 20) and a Solaris V2.7 (fully patched as of April 10) broken into. Both had CDE and were running rpc.cmsd. I know the breakin was either due to rpc.cmsd or rpc.rstatd. Note the breakin occured using high numbered ports. In any case, I haven't had any trouble since turning off rpc.rstatd and rpc.cmsd. JMH Andy Polyakov wrote: > Can you confirm that compromised system(s) were equipped with CDE? Or in > other words was it /usr/dt/bin/rpc.cmsd that was assigned to do the job > in /etc/inetd.conf? > > Further, it appears that even patched versions may be > > vulnerable. > Could you be more specific here and tell exactly which patches are you > talking about? > > Also, rpc.cmsd under > > Solaris 2.6 could also be problematic. > I want to point out that there is a rather fresh 105566-07 for Solaris > 2.6 which claims "4230754 Possible buffer overflows in rpc.cmsd" fixed. > There is rather old 103670-03 for Solaris 2.5[.1] which claims "1264389 > rpc.cmsd security problem." fixed. Then there is 104976-03 claiming > "1265008 : Solaris 2.x rpc.cmsd vulnerabity" fixed. Are these the ones > you refer to as "patched versions" and "could be problematic"? > > Andy. -- John Hall Hostmaster, Postmaster, Network Manager Internet Entertainment Group
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:52:00 PDT