CERT Advisory CA-2002-26 Buffer Overflow in CDE ToolTalk

Before deciding to disable the ToolTalk RPC database server or the RPC portmapper service, carefully consider your network configuration and service requirements.

Block access to vulnerable service

Until patches are available and can be applied, you may wish to block access to the ToolTalk RPC database server and possibly the RPC portmapper service from untrusted networks such as the Internet. Use a firewall or other packet-filtering technology to block the appropriate network ports. The ToolTalk RPC database server may be configured to use port 692/tcp or another port as indicated in output from the rpcinfo(1M) command. In the example above, the ToolTalk RPC database server is configured to use port 32773/tcp. The RPC portmapper service typically runs on ports 111/tcp and 111/udp. Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from attacks that originate from the internal network.

Before deciding to block or restrict access to the ToolTalk RPC database server or the RPC portmapper service, carefully consider your network configuration and service requirements.

Appendix A. - Vendor Information

This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.

Caldera, Inc.

Caldera Open UNIX and Caldera UnixWare provide the CDE ttdbserverd daemon, and are vulnerable to these issues. Please see Caldera Security Advisory CSSA-2002-SCO.28.1 for more information.

SCO OpenServer and Caldera OpenLinux do not provide CDE, and are therefore not vulnerable.

Cray, Inc.

Cray, Inc. does include ToolTalk within the CrayTools product. However, rpc.ttdbserverd is not turned on or used by any Cray provided application. Since a site may have turned this on for their own use, they can always remove the binary /opt/ctl/bin/rpc.ttdbserverd if they are concerned.

Hewlett-Packard Company

SOURCE: Hewlett-Packard Company Software Security Response Team (SSRT)

Date: 15 August, 2002
CROSS REFERENCE ID: SSRT2274

HP Tru64 UNIX

[Hewlett-Packard has released a security bulletin (SRB0039W/SSRT2274) that addresses VU#387387 and other vulnerabilities.]

HP-UX

A preliminary fix for HP-UX is avaiable:

Originally issued: 12 July 2002
Last revision: 14 Aug 2002

ftp://ttdb1:ttdb1@hprc.external.hp.com/
file: rpc.ttdbserver.2.tar.gz

Details can be found in HPSBUX0207-199 at http://itrc.hp.com

NOT IMPACTED:

HP-MPE/ix
HP OpenVMS
HP NonStop Servers

HP Recommended Workaround:

A recommended workaround is to disable rpc.ttdbserverd until solutions are available. This should only create a potential problem for public software packages applications that use the RPC-based ToolTalk database server. This step should be evaluated against the risks identified, your security measures environment, and potential impact of other products that may use the ToolTalk database server.

To disable rpc.ttdbserverd:

HP Tru64 Unix:

Comment out the following line in /etc/inetd.conf:

rpc.ttdbserverd stream tcp swait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd

Force inetd to re-read the configuration file by executing the inetd -h command.

Note: The internet daemon should kill the currently running rpc.ttdbserver. If not, manually kill any existing rpc.ttdbserverd process.

HP-UX:

Comment out the following line in /etc/inetd.conf:

rpc stream tcp swait root /usr/dt/bin/rpc.ttdbserver 100083 1 /usr/dt/bin/rpc.ttdbserver [10.20]

or

rpc xti tcp swait root /usr/dt/bin/rpc.ttdbserver 100083 1 /usr/dt/bin/rpc.ttdbserver [11.0/11.11]

Force inetd to re-read the configuration file by executing the inetd -c command.

Note: The internet daemon should kill the currently running rpc.ttdbserver. If not, manually kill any existing rpc.ttdbserverd process.

To report potential security vulnerabilities in HP software, send an E-mail message to: security-alert@hp.com

IBM Corporation

The CDE desktop product shipped with AIX is vulnerable to the issue detailed above in the advisory. This affects AIX releases 4.3.3 and 5.1.0. An efix package for this issue is currently available from the IBM software ftp site.

The efix packages can be downloaded via anonymous ftp from ftp.software.ibm.com/aix/efixes/security/. This directory contains a README file that gives further details on the efix packages.

The following APARs will be available in the near future:

AIX 4.3.3: IY32792

AIX 5.1.0: IY32793

SGI

SGI acknowledges the ToolTalk vulnerabilities reported by CERT and is currently investigating. No further information is available at this time.

For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported IRIX operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list on http://www.sgi.com/support/security/.

Sun Microsystems, Inc.

The Solaris RPC-based ToolTalk database server, rpc.ttdbserverd, is vulnerable to the buffer overflow described in this advisory in all currently supported versions of Solaris:

Solaris 2.5.1, 2.6, 7, 8, and 9

Patches are being generated for all of the above releases. Sun will be publishing Sun Alert 46366 for this issue which will be located here:

http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46366

The Sun Alert will be updated as more information or patches become available. The patches will be available from:

http://sunsolve.sun.com/securitypatch

Sun will be publishing a Sun Security Bulletin for this issue once all of the patches are available which will be located at:

http://sunsolve.sun.com/security

Xi Graphics

Xi Graphics deXtop CDE v2.1 is vulnerable to this attack. The update and accompanying text file will be:

ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.tar.gz

ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.txt

DeXtop version 3.0 already contains this fix.

Most sites do not need to use the ToolTalk server daemon. Xi Graphics Security recommends that non-essential services are never enabled. To disable the ToolTalk server on your system, edit /etc/inetd.conf and comment out, or remove, the 'rpc.ttdbserver' line. Then, either restart inetd, or reboot your machine.

Appendix B. - References

• http://www.opengroup.org/cde/
• http://www.opengroup.org/desktop/faq/
• http://www.entercept.com/news/uspr/08-12-02.asp
• http://www.cert.org/advisories/CA-2002-20.html
• http://www.kb.cert.org/vuls/id/975403
• http://www.kb.cert.org/vuls/id/299816
• http://www.cert.org/advisories/CA-2002-01.html
• http://www.cert.org/advisories/CA-2001-31.html
• http://www.kb.cert.org/vuls/id/172583
• http://www.cert.org/advisories/CA-2001-27.html
• http://www.kb.cert.org/vuls/id/595507
• http://www.kb.cert.org/vuls/id/860296
• http://www.cert.org/advisories/CA-1999-11.html
• http://www.cert.org/advisories/CA-1998-11.html
• http://www.cert.org/advisories/CA-1998-02.html

The CERT Coordination Center thanks Sinan Eren of the Entercept Richochet Team for reporting this vulnerability.

Author: Art Manion

Copyright 2002 Carnegie Mellon University.

Revision History

August 12, 2002: Initial release
August 13, 2002: Updated IBM statement
August 15, 2002: Updated HP statement
August 20, 2002: Updated Caldera and HP statements
September 9, 2002: Updated HP statement