Date: Thu, 28 Mar 2024 10:13:14 -0400 (EDT) Message-ID: <544964031.483.1711635194152@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_482_96429533.1711635194150" ------=_Part_482_96429533.1711635194150 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history can be found at the end of this file.
There is an integer overflow in the xdrmem_getbytes() function di= stributed as part of the Sun Microsystems XDR library. This overflow can cause remotely exploitabl= e buffer overflows in multiple applications, leading to the execution of ar= bitrary code. Although the library was originally distributed by Sun Micros= ystems, multiple vendors have included the vulnerable code in their own imp= lementations.
XDR (external data representation) libraries are used to provide platfor= m-independent methods for sending data from one system process to another, = typically over a network connection. Such routines are commonly used in rem= ote procedure call (RPC= ) implementations to provide transparency to application programmers who ne= ed to use common interfaces to interact with many different types of system= s. The xdrmem_getbytes() function in the XDR library provided by Sun= Microsystems contains an integer overflow that can lead to improperly sized dynamic memory allo= cation. Depending on how and where the vulnerable xdrmem_getbytes() = function is used, subsequent problems like buffer overflows may result.
Researchers at eEye Digital Security discovered this vulnerability and have also published an advisory. This= issue is currently being tracked as VU#516825 by the CERT/CC and as CAN-2003-0028 in the Com= mon Vulnerabilities and Exposures (CVE) dictionary. Note that this vulnerab= ility is similar to, but distinct from, VU#192995.
Because SunRPC-derived XDR libraries are used by a variety of vendors in= a variety of applications, this defect may lead to a number of security pr= oblems. Exploiting this vulnerability will lead to denial of service, execu= tion of arbitrary code, or the disclosure of sensitive information.
Specific impacts reported include the ability to crash the rpcbind servi= ce and possibly execute arbitrary code with root privileges. In addition, i= ntruders may be able to crash the MIT KRB5 kadmind or cause it to leak sens= itive information, such as secret keys.
Apply the appropriate patch or upgrade as specified by your vendor. See = Appendix A below and the Systems Affected section of VU#516825 = for further information.
Note that XDR libraries can be used by multiple applications on most sys= tems. It may be necessary to upgrade or apply multiple patches and then rec= ompile statically linked applications.
Applications that are statically linked must be recompiled using patched= libraries. Applications that are dynamically linked do not need to be reco= mpiled; however, running services need to be restarted in order to use the = patched libraries.
System administrators should consider the following process when address=
ing this issue:
Until patches are available and can be applied, you may wish to disable = access to services or applications compiled with the vulnerable xdrmem_g= etbytes() function.
As a best practice, the CERT/CC recommends disabling all services that a= re not explicitly required.
This appendix contains information provided by vendors for this advisory= . As vendors report new information to the CERT/CC, we will update this sec= tion and note the changes in our revision history. If a particular vendor i= s not listed below, we have not received their comments. =
Mac OS X and Mac OS X Server do not contain the vulnerabilities describe= d in this report.
Cray Inc. may be vulnerable and has opened spr's 724153 and 724154 to in= vestigate.
We are currently investigating how the vulnerability reported under VU#5= 16825 affects the Fujitsu UXP/V O.S. We will update this statement as soon = as new information becomes available.
Version 2.3.1 of the GNU C Library is vulnerable. Earlier versions are a=
lso vulnerable. The following patches have been installed into the CVS sour=
ces, and should appear in the next version of the GNU C Library. These patc=
hes are also available from the following URLs:
http://sources.redhat.= com/cgi-bin/cvsweb.cgi/libc/sunrpc/rpc/xdr.h.diff?r1=3D1.26&r2=3D1.27&a= mp;cvsroot=3Dglibc http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_mem.c.diff?r1= =3D1.13&r2=3D1.15&cvsroot=3Dglibc http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/s= unrpc/xdr_rec.c.diff?r1=3D1.26&r2=3D1.27&cvsroot=3Dglibc http://sources.redhat.com/c= gi-bin/cvsweb.cgi/libc/sunrpc/xdr_sizeof.c.diff?r1=3D1.5&r2=3D1.6&c= vsroot=3Dglibc h= ttp://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_stdio.c.diff?r1= =3D1.15&r2=3D1.16&cvsroot=3Dglibc
2002-12-16 Roland McGrath[ text of diffs available in the links included = above --CERT/CC ]=20=09* sunrpc/xdr_mem.c (xdrmem_inline): Fix argument type. =09* sunrpc/xdr_rec.c (xdrrec_inline): Likewise. =09* sunrpc/xdr_stdio.c (xdrstdio_inline): Likewise. 2002-12-13 Paul Eggert =20 =09* sunrpc/rpc/xdr.h (struct XDR.xdr_ops.x_inline): 2nd arg =09is now u_int, not int. =09(struct XDR.x_handy): Now u_int, not int. =09* sunrpc/xdr_mem.c: Include=20 . =09(xdrmem_getlong, xdrmem_putlong, xdrmem_getbytes, xdrmem_putbytes, =09xdrmem_inline, xdrmem_getint32, xdrmem_putint32): =09x_handy is now unsigned, not signed. =09Do not decrement x_handy if no change is made. =09(xdrmem_setpos): Check for int overflow. =09* sunrpc/xdr_sizeof.c (x_inline): 2nd arg is now unsigned. =09(xdr_sizeof): Remove cast that is now unnecessary, now that =09x_handy is unsigned.
RE: HP Case ID SSRT2439
At the time of writing this document, Hewlett Packard is currently inves= tigating the potential impact to HP's released Operating System software pr= oducts.
As further information becomes available HP will provide notice of the a= vailability of any necessary patches through standard security bulletin ann= ouncements and be available from your normal HP Services support channel.= p>
Hitachi's GR2000 gigabit router series - is NOT vulnerable.
Hitachi's HI-UX/WE2 - is NOT vulnerable, because it does not support RPC/X=
DR Library.
The AIX operating system is vulnerable to the issues discussed in CERT v= ulnerability note VU#516825 in releases 4.3.3, 5.1.0 and 5.2.0.
IBM provides the following official fixes:
APAR number for AIX 4.3.3: IY38524
APAR number for AIX 5.1.0: IY38434
APAR number for AIX 5.2.0: IY39231
Please contact your local IBM AIX support center for any assistance.
=Ingrian Networks products are not succeptable to the vulnerabilities in = VU#516825.
It may be possible for a remote attacker to exploit an integer overflow = in xdrmem_getbytes() to crash the kadmind server process by a read segmenta= tion fault. For this to succeed, the kadmind process must be able to alloca= te more than MAX_INT bytes of memory. This is believed to be unlikely, as m= ost installations are not likely to permit that the allocation of that much= memory.
It may also be possible for a remote attacker to exploit this integer ov= erflow to obtain sensitive information, such as secret keys, from the kadmi= nd process. This is believed to be extremely unlikely, as there are unlikel= y to be ways for the information, once improperly copied, of being returned= to the attacker. In addition, the above condition of the kadmind being abl= e to allocate huge amounts of memory must be satisfied.
Please see http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-003-xdr.txt<= /a>This patch may also be found at:
http://web.mit.edu/kerberos/www/a=
dvisories/2003-003-xdr_patch.txt
The associated detached PGP signature is at:
http://web.mit.edu/kerberos/www/advisories/2003-003-xdr_patch.txt= .asc
[Server Products] * EWS/UP 48 Series operating system - is NOT vulnerabl= e.
The length types of the various xdr*_getbytes functions were made consis= tent somewhere back in 1997 (all u_int), so we're not vulnerable in that ar= ea.
[Note: the NetBSD project has released NetBSD Securi= ty Advisory 2003-008 in response to this issue --CERT/CC]NetApp products are not vulnerable to this issue.
=This issue has no relationship to the product we ship.
The following Nortel Networks Wireless products are potentially affected= by the vulnerability identified in VU#516825:
CDMA SDMXNortel Networks recommends applying the latest Sun Microsystems patches = in accordance with that vendor's recommendations.
Other Nortel Networks products are being investigated to determine if th= ey are potentially affected by the vulnerability identified in VU#516825 an= d this statement will be updated as more information becomes available.
=The xdrmem_getbytes() integer overflow discovered by eEye Digital Securi= ty was present in the glibc package on Openwall GNU/*/Linux until 2003/03/2= 3 when it was corrected for Owl-current (with a back-port from the glibc CV= S) and documented as a security fix in the system-wide change log available= at:
http://www.op= enwall.com/Owl/CHANGES-current.shtml
Please note that Owl does not include any RPC services (but it does incl= ude a few RPC clients). It has not been fully researched whether an Owl ins= tall with no third-party software added is affected by this vulnerability a= t all.
SGI acknowledges receiving CERT VU#516825 and is currently investigating= . This is being tracked as SGI Bug# 880925. No further information is avail= able at this time.
For the protection of all our customers, SGI does not disclose, discuss = or confirm vulnerabilities until a full investigation has occurred and any = necessary patch(es) or release streams are available for all vulnerable and= supported SGI operating systems. Until SGI has more definitive information= to provide, customers are encouraged to assume all security vulnerabilitie= s as exploitable and take appropriate steps according to local site securit= y policies and requirements. As further information becomes available, addi= tional advisories will be issued via the normal SGI security information di= stribution methods including the wiretap mailing list on http://www.sgi.com/support/security/
[Note: SGI has subsequently released SGI Security Advisory 2003040= 2-01-P in response to this issue. Users are encouraged to review this a= dvisory and apply the patches it refers to. --CERT/CC]
Top Layer Networks products do not contain the vulnerabilities described= in this CERT Advisory.
Thanks to Riley Hassell of eEye Digital = Security for discovering and reporting this vulnerability. Thanks also = to Sun Microsystems for additional technical details.
Authors: Chad Dougherty and Jeffrey Havrilla
Copyright 2003 Carnegie Mellon University.
Revision History
Mar 19, 2003: Initial release Mar 20, 2003: Updated vendor statement from Hitachi Mar 24, 2003: Added vendor statement for Openwall GNU/*/Linux Apr 01, 2003: Added vendor statement for Top Layer Networks, updated vendo= r statement for NetBSD Apr 09, 2003: Added vendor statement for Nortel Networks, updated vendor s= tatement for SGI