-----Original Message----- From: CERT Advisory <cert-advisoryat_private> To: cert-advisoryat_private <cert-advisoryat_private> Date: Thursday, September 16, 1999 9:54 PM Subject: CERT Advisory CA-99.12 - Buffer Overflow in amd >-----BEGIN PGP SIGNED MESSAGE----- > >CERT Advisory CA-99-12 Buffer Overflow in amd > > Original release date: September 16, 1999 > Last revised: -- > Source: CERT/CC > > A complete revision history is at the end of this file. > >Systems Affected > > * Systems running amd, the Berkeley Automounter Daemon > >I. Description > > There is a buffer overflow vulnerability in the logging facility of > the amd daemon. > > This daemon automatically mounts file systems in response to attempts > to access files that reside on those file systems. Similar > functionality on some systems is provided by a daemon named > automountd. > > Systems that include automounter daemons based on BSD 4.x source code > may also be vulnerable. A vulnerable implementation of amd is included > in the am-utils package, provided with many Linux distributions. > >II. Impact > > Remote intruders can execute arbitrary code as the user running the > amd daemon (usually root). > >III. Solution > >Install a patch from your vendor > > Appendix A contains information provided by vendors for this advisory. > We will update the appendix as we receive more information. If you do > not see your vendor's name, the CERT/CC did not hear from that vendor. > Please contact your vendor directly. > > We will update this advisory as more information becomes available. > Please check the CERT/CC Web site for the most current revision. > >Disable amd > > If you are unable to apply a patch for this problem, you can disable > the amd daemon to prevent this vulnerability from being exploited. > Disabling amd may prevent your system from operating normally. > >Appendix A. Vendor Information > >BSDI > > BSD/OS 4.0.1 and 3.1 are both vulnerable to this problem if amd has > been configured. The amd daemon is not started if it has not been > configured locally. Mods (M410-017 for 4.0.1 and M310-057) are > available via ftp from ftp://ftp.bsdi.com/bsdi/patches or via our web > site at http://www.bsdi.com/support/patches > >Compaq Computer Corporation > > Not vulnerable > >Data General > > DG/UX is not vulnerable to this problem. > >Erez Zadok (am-utils maintainer) > > The latest stable version of am-utils includes several important > security fixes. To retrieve it, use anonymous ftp for the following > URL > > ftp://shekel.mcl.cs.columbia.edu/pub/am-utils/ > > The MD5 checksum of the am-utils-6.0.1.tar.gz archive is > > MD5 (am-utils-6.0.1.tar.gz) = ac33a4394d30efb4ca47880cc5703999 > > The simplest instructions to build, install, and run am-utils are as > follows: > 1. Retrieve the package via FTP. > 2. Unpack it: > $ gunzip am-utils-6.0.1.tar.gz > $ tar xf am-utils-6.0.1.tar > If you have GNU tar and gunzip, you can issue a single command: > $ tar xzf am-utils-6.0.1.tar.gz > 3. Build it: > $ cd am-utils-6.0.1 > $ ./buildall > This would configure and build am-utils for installation in > /usr/local. If you built am-utils in the past using a different > procedure, you may repeat that procedure instead. For example, to > build am-utils using shared libraries and to enable debugging, use > either: > $ ./buildall -Ds -b > or > $ ./configure --enable-debug=yes --enable-shared --disable-static > You may run "./configure --help" to get a full list of available > options. You may run "./buildall -H" to get a full list of options > it offers. The buildall script is a simple wrapper script that > configures and builds am-utils for the most common desired > configurations. > 4. Install it: > $ make install > This would install the programs, scripts, libraries, manual pages, > and info pages in /usr/local/{sbin,bin,lib,man,info}, etc. > 5. Run it. > Assuming you have an Amd configuration file in /etc/amd.conf, you > can simply run: > $ /usr/local/sbin/ctl-amd restart > That will stop the older running Amd, and start a new one. If you > use a different Amd start-up script, you may use it instead. > >FreeBSD > > Please see the FreeBSD advisory at > > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-99:06.amd > .asc > > for information on patches for this problem. > >Fujitsu > > This vulnerability is still under investigation by Fujitsu. > >Hewlett-Packard Company > > HP is not vulnerable. > >IBM Corporation > > AIX is not vulnerable. It does not ship the am-utils package. > >OpenBSD > > OpenBSD is not vulnerable. > >RedHat Inc. > > RedHat has released a security advisory on this topic. It is available > from our ftp server at: > > http://www.redhat.com/corp/support/errata/RHSA1999032_O1.html > >SCO Unix > > No SCO products are vulnerable. > >SGI > > SGI does not distribute am-utils in either IRIX or UNICOS operating > systems. > >Sun Microsystems, Inc. > > SunOS - All versions are not vulnerable. > > Solaris - All versions are not vulnerable. > _________________________________________________________________ > > The CERT Coordination Center would like to thank Erez Zadok, the > maintainer of the am-utils package, for his assistance in preparing > this advisory. > ______________________________________________________________________ > > This document is available from: > http://www.cert.org/advisories/CA-99-12-amd.html > ______________________________________________________________________ > >CERT/CC Contact Information > > Email: certat_private > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. > > CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) > Monday through Friday; they are on call for emergencies during other > hours, on U.S. holidays, and on weekends. > >Using encryption > > We strongly urge you to encrypt sensitive information sent by email. > Our public PGP key is available from > > http://www.cert.org/CERT_PGP.key > > If you prefer to use DES, please call the CERT hotline for more > information. > >Getting security information > > CERT publications and other security information are available from > our web site > > http://www.cert.org/ > > To be added to our mailing list for advisories and bulletins, send > email to cert-advisory-requestat_private and include SUBSCRIBE > your-email-address in the subject of your message. > > Copyright 1999 Carnegie Mellon University. > Conditions for use, disclaimers, and sponsorship information can be > found in > > http://www.cert.org/legal_stuff.html > > * "CERT" and "CERT Coordination Center" are registered in the U.S. > Patent and Trademark Office. > ______________________________________________________________________ > > NO WARRANTY > Any material furnished by Carnegie Mellon University and the Software > Engineering Institute is furnished on an "as is" basis. Carnegie > Mellon University makes no warranties of any kind, either expressed or > implied as to any matter including, but not limited to, warranty of > fitness for a particular purpose or merchantability, exclusivity or > results obtained from use of the material. Carnegie Mellon University > does not make any warranty of any kind with respect to freedom from > patent, trademark, or copyright infringement. > _________________________________________________________________ > > Revision History >Sep 16, 1999: Initial release > >-----BEGIN PGP SIGNATURE----- >Version: 2.6.2 > >iQCVAwUBN+E6AHVP+x0t4w7BAQHwJQP7B+ghNLVt5h9LGkALYqnL1jBz5557fpmo >6z4ylqHfyHTqXdmjKL89ZhaxkpowvSOTpsAvcWyks+6aRjM0tNeNHc0Omlwt26sW >fULp0NC1QZxoD7sK/9gJXxjulMPobDw/9MGtoKJi/snSwL7T7LDElz/6MrtII+0l >vJ/ECkjL4JQ= >=lGut >-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:04:27 PDT