**************************************************************************

Security Bulletin 9729 DISA Defense Communications System

December 8, 1997 Published by: DISN Security Coordination Center

(SCC@NIC.MIL) 1-(800) 365-3642

DEFENSE INFORMATION SYSTEM NETWORK

SECURITY BULLETIN

The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil.

**************************************************************************

+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +

! !

! The following important advisory was issued by the Computer !

! Emergency Response Team (CERT) and is being relayed unedited !

! via the Defense Information Systems Agency's Security !

! Coordination Center distribution system as a means of !

! providing DISN subscribers with useful security information. !

! !

+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +

=============================================================================

  • CERT* Advisory CA-97.26
  • Original issue date: Dec. 5, 1997
  • Last revised:

    Topic: Buffer Overrun Vulnerability in statd(1M) Program

    - -----------------------------------------------------------------------------

    The text of this advisory was originally released on December 5, 1997, as AA-97.29, developed by the Australian Computer Emergency Response Team. To more widely broadcast this information, we are reprinting the AUSCERT advisory here with their permission. Only the contact information at the end has changed: AUSCERT contact information has been replaced with CERT/CC contact information.

    We will update this advisory as we receive additional information.

    Look for it in an "Updates" section at the end of the advisory.

    =============================================================================

    AUSCERT has received information that a vulnerability exists in the statd(1M) program, available on a variety of Unix platforms.

    This vulnerability may allow local users, as well as remote users to gain root privileges.

    Exploit information involving this vulnerability has been made publicly available.

    This vulnerability is different to the statd vulnerability described in CERT/CC advisory CA-96.09.

    The vulnerability in statd affects various vendor versions of statd. AUSCERT recommends that sites take the steps outlined in section 3 as soon as possible.

    This advisory will be updated as more information becomes available.

    - - ---------------------------------------------------------------------------

    1. Description

    AUSCERT has received information concerning a vulnerability in some vendor versions of the RPC server, statd(1M).

    statd provides network status monitoring. It interacts with lockd to provide crash and recovery functions for the locking services on NFS.

    Due to insufficient bounds checking on input arguments which may be supplied by local users, as well as remote users, it is possible to overwrite the internal stack space of the statd program while it is executing a specific rpc routine. By supplying a carefully designed input argument to the statd program, intruders may be able to force statd to execute arbitrary commands as the user running statd. In most instances, this will be root.

    This vulnerability may be exploited by local users. It can also be exploited remotely without the intruder requiring a valid local account if statd is accessible via the network.

    Sites can check whether they are running statd by:

    On system V like systems:

  • # ps -fe |grep statd
  • root 973 1 0 14:41:46 ? 0:00 /usr/lib/nfs/statd
  • On BSD like systems:

    # ps -auxw |grep statd

    root 156 0.0 0.0 52 0 ? IW May 3 0:00 rpc.statd

    Specific vendor information regarding this vulnerability can be found in Section 3.

    2. Impact

    This vulnerability permits attackers to gain root privileges. It can be exploited by local users. It can also be exploited remotely without the intruder requiring a valid local account if statd is accessible via the network.

    3. Workarounds/Solution

    The statd program is available on many different systems. As vendor patches are made available sites are encouraged to install them immediately (Section 3.1).

    If you are not using NFS in your environment then there is no need for the statd program to be running and it can be disabled (Section 3.2).

    3.1 Vendor information

    The following vendors have provided information concerning the vulnerability in statd.

    BSDI

  • Digital Equipment Corporation
  • Hewlett Packard
  • IBM Corporation
  • The NetBSD Project
  • Red Hat Software
  • Sun Microsystems
  • Specific vendor information has been placed in Appendix A.

    If the statd program is required at your site and your vendor is not listed, you should contact your vendor directly.

    If you do not require the statd program then it should be disabled (Section 3.2).

    3.2 Disabling statd

    The statd daemon is required as part of an NFS environment. If you are not using NFS there is no need for this program and it can be disabled. The statd (or rpc.statd) program is often started in the system initialisation scripts (such as /etc/rc* or /etc/rc*.d/*).

    If you do not require statd it should be commented out from the initialisation scripts. In addition, any currently running statd should be identified using ps(1) and then terminated using kill(1).

    ...........................................................................

    Appendix A Vendor information

    The following information regarding this vulnerability for specific vendor versions of statd has been made available to AUSCERT. For additional information, sites should contact their vendors directly.

    BSDI

    No versions of BSD/OS are vulnerable to this problem.

    Digital Equipment Corporation

    DIGITAL UNIX V4.0 thru V4.0c

    At the time of writing this document, patches (binary kits) are in progress and final testing has been completed. Distribution of the fix for this problem is expected to begin soon. Digital will provide notice of the completion/availability of the patches through AES services (WEB, DIA, DSNlink) and be available from your normal Digital Support channel.

    DIGITAL EQUIPMENT CORPORATION 12/97

    Hewlett Packard

    This problem is in the investigation process.

    IBM Corporation

    AIX 3.2 and 4.1 are vulnerable to the statd buffer overflow. However, the buffer overflow described in this advisory was fixed when the APARs for CERT CA-96.09 was released. See the appropriate release below to determine your action.

    AIX 3.2

    Apply the following fix to your system:

    APAR - IX56056 (PTF - U441411)

    To determine if you have this PTF on your system, run the following

    command:

    lslpp -lB U441411

    AIX 4.1

    Apply the following fix to your system:

    APAR - IX55931

    To determine if you have this PTF on your system, run the following

    command:

    instfix -ik IX55931

    Or run the following command:

    lslpp -h bos.net.nfs.client

    Your version of bos.net.nfs.client should be 4.1.4.7 or later.

    AIX 4.2

    No APAR required. Fix already contained in the release.

    APARs may be ordered using Electronic Fix Distribution (via

    FixDist) or from the IBM Support Center. For more information on FixDist, reference URL:

    http://service.software.ibm.com/aixsupport/

    or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist".

    IBM and AIX are registered trademarks of International Business

    Machines Corporation.

    The NetBSD project

    NetBSD is not vulnerable to the statd buffer overflow. It does not ship with NFS locking programs (statd/lockd).

    Red Hat Linux

    Red Hat Linux is not vulnerable to the statd buffer overflow. No versions of Red Hat Linux include statd in any form.

    Sun Microsystems

    The statd vulnerability has been fixed by the following patches:

    SunOS version Patch Id

    ------------- --------

    5.5.1 104166-02

    5.5.1_x86 104167-02

    5.5 103468-03

    5.5_x86 103469-03

    5.4 102769-04

    5.4_x86 102770-04

    4.1.4 102516-06

    4.1.3_U1 101592-09

    SunOS 5.6 and 5.6_x86 are not vulnerable to this problem.

    The vulnerability described in this advisory is not the same as that described in Sun Security Bulletin #135.

    Sun recommended and security patches (including checksums) are available from:

    http://sunsolve.sun.com/sunsolve/pubpatches/patches.html

    AUSCERT maintains a local mirror of Sun recommended and security patches at:

    ftp://ftp.auscert.org.au/pub/mirrors/sunsolve1.sun.com/

    - - ---------------------------------------------------------------------------

    AUSCERT thanks Peter Marelas (The Fulcrum Consulting Group), Tim MacKenzie (The Fulcrum Consulting Group) and CERT/CC for their assistance in the preparation of this advisory.

    - - ---------------------------------------------------------------------------

    If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (see http://www.first.org/team-info/)

    CERT/CC Contact Information

    - ----------------------------

    Email cert@cert.org

    Phone +1 412-268-7090 (24-hour hotline)

    CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)

    and are on call for emergencies during other hours.

    Fax +1 412-268-6989

    Postal address

  • CERT Coordination Center
  • Software Engineering Institute
  • Carnegie Mellon University
  • Pittsburgh PA 15213-3890
  • USA
  • Using encryption

    We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information.

    Location of CERT PGP key

    ftp://info.cert.org/pub/CERT_PGP.key

    Getting security information

    CERT publications and other security information are available from

  • http://www.cert.org/
  • ftp://info.cert.org/pub/
  • CERT advisories and bulletins are also posted on the USENET newsgroup

    comp.security.announce

    To be added to our mailing list for advisories and bulletins, send

    email to

    cert-advisory-request@cert.org

    In the subject line, type

    SUBSCRIBE your-email-address

    - ---------------------------------------------------------------------------

    Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line.

    *CERT is registered in the U.S. Patent and Trademark Office.

    - ---------------------------------------------------------------------------

    This file: ftp://info.cert.org/pub/cert_advisories/CA-97.26.statd

    http://www.cert.org

    click on "CERT Advisories"

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Revision history


    ****************************************************************************

    * *

    * *

    * *

    * *

    * *

    * *

    * *

    * *

    ****************************************************************************

    PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts.

    This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.