Date: Thu, 28 Mar 2024 06:11:58 -0400 (EDT) Message-ID: <766676168.459.1711620718918@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_458_344193621.1711620718915" ------=_Part_458_344193621.1711620718915 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history can be found at the end of this file.
There is an integer overflow present in the xdr_array() functi= on distributed as part of the Sun Microsystems XDR library. This overflow has been shown to lea= d to remotely exploitable buffer overflows in multiple applications, leadin= g to the execution of arbitrary code. Although the library was originally d= istributed by Sun Microsystems, multiple vendors have included the vulnerab= le code in their own implementations.
The XDR (external data representation) libraries are used to provide pla= tform-independent methods for sending data from one system process to anoth= er, typically over a network connection. Such routines are commonly used in= remote procedure call (= RPC) implementations to provide transparency to application programmers= who need to use common interfaces to interact with many different types of= systems. The xdr_array() function in the XDR library provided by Su= n Microsystems contains an integer overflow that can lead to improperly sized dynamic memory all= ocation. Subsequent problems like buffer overflows may result, depending on= how and where the vulnerable xdr_array() function is used.
This issue is currently being tracked as VU#192995 by the CERT/CC and CAN-2002-0391 in the= Common Vulnerabilities and Exposures (CVE) dictionary. =
Because SunRPC-derived XDR libraries are used by a variety of vendors in= a variety of applications, this defect may lead to a number of differing s= ecurity problems. Exploiting this vulnerability will lead to denial of serv= ice, execution of arbitrary code, or the disclosure of sensitive informatio= n.
Specific impacts reported include the ability to execute arbitrary code = with root privileges (by exploiting dm= ispd, rpc.cmsd, or kadmind, for example). In addition, intruders who ex= ploit the XDR overflow in MIT KRB5 kadmind may be able to gain = control of a Key Distribution Center (KDC) and improperly authenticate to o= ther services within a trusted Kerberos realm.
Appendix A contains information provided by ven= dors for this advisory. As vendors report new information to the CERT/CC, w= e will update this section and note the changes in our revision history. If= a particular vendor is not listed below or in the vulnerability note, we have not received thei= r comments. Please contact your vendor directly.
Note that XDR libraries can be used by multiple applications on most sys= tems. It may be necessary to upgrade or apply multiple patches and then rec= ompile statically linked applications.
Applications that are statically linked must be recompiled using patched= libraries. Applications that are dynamically linked do not need to be reco= mpiled; however, running services need to be restarted in order to use the = patched libraries.
System administrators should consider the following process when address=
ing this issue:
Until patches are available and can be applied, you may wish to disable =
access to services or applications compiled with the vulnerable xdr_arra=
y() function. Such applications include, but are not limited to, the fo=
llowing:
This appendix contains information provided by vendors for this advisory= . As vendors report new information to the CERT/CC, we will update this sec= tion and note the changes in our revision history. If a particular vendor i= s not listed below or in the individual vulnerability notes, we have not received their comments.
The vulnerability described in this note is fixed with Security Update 20= 02-08-02.
The Debian GNU/Linux distribution was vulnerable with regard to the the =
XDR problem as stated above with the following vulnerability matrix:
OpenAFS Kerberos5 GNU libc Debian 2.2 (potato) not included not included vulnerable Debian 3.0 (woody) vulnerable (DSA 142-1) vulnerable (DSA 143-1) vulnerable Debian unstable (sid) vulnerable (DSA 142-1) vulnerable (DSA 143-1) vulnerable
However, the following advisories were raised recently which contain and=
announced fixes:
DSA 142-1 OpenAFS= a> (safe version are: 1.2.3final2-6 (woody) and 1.2.6-1 (sid))
DSA 143-1 Kerberos5 (s= afe version are: 1.2.4-5woody1 (woody) and 1.2.5-2 (sid))
The advisory for the GNU libc is pending, it is currently being recompil=
ed. The fixed versions will probably be:
Debian 2.2 (potato) glibc 2.1.3-23 or later
Debian 3.0 (woody) glibc 2.2.5-11.1 or later
Debian unstable (sid) glibc 2.2.5-12 or later
Version 2.2.5 and earlier versions of the GNU C Library are vulnerable. =
For Version 2.2.5, we suggest the following patch. This patch is also avail=
able from the GNU C Library CVS repository at:
http://sources.red= hat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_array.c.diff?r1=3D1.5&r2=3D1= .5.2.1&cvsroot=3Dglibc
2002-08-02 Jakub Jelinek <jakub@redhat.com>
- sunrpc/xdr_array.c (xdr_array): Check for overflow on multiplication. P= atch by Solar Designer <solar@openwall.com>.
[ text of diff available in CVS repository link above --CERT/CC ]
Please see ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories= /FreeBSD-SA-02:34.rpc.asc
SOURCE: Hewlett-Packard Company
RE: Potential RPC XDR buffer overflow
At the time of writing this document, Hewlett Packard is currently inves= tigating the potential impact to HP's released operating System software pr= oducts.
As further information becomes available HP will provide notice of the a= vailability of any necessary patches through standard security bulletin ann= ouncements and be available from your normal HP Services support channel. <= !-- end vendor -->
IBM is vulnerable to the above XDR Library issues in both the 4.3 and 5.=
1 releases of AIX. A temporary patch is currently available through an efix=
pacakge. Efixes are available from
ftp.software.ibm.com/ai= x/efixes/security/See the README file in this directory for additional information = on the efixes.=20
The following APARs will be available in the near future:
AIX 4.3.3: APAR #IY34194 ( available approx 10/1/2002 )
AIX 5.1.0: APAR #IY34158 ( available approx 10/16/2002 )
The Juniper Networks SDX-300 Service Deployment System (SSC) does use XD= R for communication with an ERX edge router, but does not make use of the S= un RPC libraries. The SDX-300 product is not vulnerable to the Sun RPC XDR = buffer overflow as outlined in this CERT advisory.
kth-krb and heimdal are not vulnerable to this problem since they do not= use any Sun RPC at all.
= a>Please see http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA= -2002-001-xdr.txt
The patch is available directly:
http://web.mit.edu/kerberos=
/www/advisories/2002-001-xdr_array_patch.txt
The following detached PGP signature should be used to verify the authen=
ticity and integrity of the patch:
http://web.mit.edu/kerbe=
ros/www/advisories/2002-001-xdr_array_patch.txt.asc =
Microsoft is currently conducting an investigation based on this report.= We will update this advisory with information once it is complete.
Please see ftp://ftp.netbsd.org/pub/NetBSD/security/advis= ories/NetBSD-SA2002-011.txt.asc
NetApp systems are not vulnerable to this problem.
The xdr_array(3) integer overflow was present in the glibc packag=
e on Openwall GNU/*/Linux until 2002/08/01 when it was corrected for Owl-cu=
rrent and documented as a security fix in the system-wide change log availa=
ble at:
http://www.openwall.c= om/Owl/CHANGES.shtml
The same glibc package update also fixes a very similar but different calloc(3) integer overflow possibility that is currently not known to allow fo= r an attack on a particular application, but has been patched as a proactiv= e measure. The Sun RPC xdr_array(3) overflow may allow for passive a= ttacks on mount(8) by malicious or spoofed NFSv3 servers as well as = for both passive and active attacks on RPC clients or services that one mig= ht install on Owl. (There're no RPC services included with Owl.)
Red Hat distributes affected packages glibc and Kerberos in all Red Hat = Linux distributions. We are currently working on producing errata packages,= when complete these will be available along with our advisory at the URLs = below. At the same time users of the Red Hat Network will be able to update= their systems using the 'up2date' tool.
http://rhn.redh= at.com/errata/RHSA-2002-166.html (glibc)
http://rhn.redhat.com/errata/RHSA-2002-172= .html (Kerberos 5)
SGI now has patches available to fix this problem, per 20020801-01=
-P:
ftp://patches.sgi.com/support/free/security/advisories/20020801-01-P<= /a>
Sun can confirm that there is a type overflow vulnerability in the xd=
r_array(3NSL) function which is part of the network services library, <=
i>libnsl(3LIB), on Solaris 2.5.1 through 9. Sun has published Sun =
Alert 46122 which describes the issue, applications affected, and worka=
round information. The Sun Alert will be updated as more information or pat=
ches become available and is located here:
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=3Dfsalert%2F46122
Sun will be publishing a Sun Security Bulletin for this issue once all o=
f the patches are available which will be located at:
http://sunsolve.sun.com/securi= ty
Thanks to Sun Microsystems for working with the CERT/CC to make this doc= ument possible. The initial vulnerability research and demonstration was pe= rformed by Internet Security Systems (ISS).
Authors: Jeffrey S. Havrilla and Cory F. Cohen.
Copyright 2002 Carnegie Mellon University.
Revision History
Aug 05, 2002: Initial release Aug 06, 2002: Minor update to Debian statement, corrected glibc for Debian= 3.0 (woody) will be 2.2.5-11.1 or later Aug 06, 2002: Added IBM statement Aug 19, 2002: Updated SGI statement Sep 03, 2002: Updated IBM statement Oct 03, 2002: Added Microsoft Bulletin MS02-057 to list of references