Last revised: May 14, 2002
Source: CERT/CC
A complete revision history can be found at the end of this file.
Sun's NFS/RPC file system cachefs daemon (cachefsd) is shipped
and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and
Intel architectures). A remotely exploitable vulnerability exists in
cachefsd that could permit a remote attacker to execute arbitrary code
with the privileges of the cachefsd, typically root. The CERT/CC has
received credible reports of scanning and exploitation of Solaris systems
running cachefsd.
A remotely exploitable heap overflow exists in the cachefsd program
shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8
(SPARC and Intel architectures). Cachefsd caches requests for operations
on remote file systems mounted via the use of NFS protocol. A remote
attacker can send a crafted RPC request to the cachefsd program to exploit
the vulnerability.
Logs of exploitation attempts may resemble the following:
Sun Microsystems has released a Sun
Alert Notification which addresses this issue as well as the issue
described in VU#161931.
According to the Sun
Alert Notification, failed attempts to exploit this vulnerability may
leave a core dump file in the root directory. The presence of the
core file does not preclude the success of subsequent attacks.
Additionally, if the file /etc/cachefstab exists, it may contain
unusual entries.
This issue is also being referenced as CAN-2002-0033:
A remote attacker may be able to execute code with the privileges of
the cachefsd process, typically root.
Apply a patch from your vendor Appendix A contains information provided by
vendors for this advisory.
If a patch is not available, disable cachefsd in inetd.conf
until a patch can be applied.
If disabling the cachefsd is not an option, follow the suggested
workaround in the Sun
Alert Notification.
This appendix contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If a
particular vendor is not listed below, please check the Vulnerability Note
(VU#635811) or contact your vendor directly. For more information please contact Nortel at:
Contacts for other regions are available at
The CERT/CC acknowledges the Last Stage of Delirium Team for
discovering and reporting on this vulnerability and thanks Sun
Microsystems for their technical assistance. Feedback can be directed to the authors: Jason
A. Rafail and Jeffrey S. Havrilla
Copyright 2002 Carnegie Mellon University. Revision History
Systems Affected
Overview
I. Description
May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
May 16 22:46:21 victim-host last message repeated 7 times
May 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped
May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
May 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped
May 16 22:46:59 victim-host last message repeated 1 time
May 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
May 16 22:47:07 victim-host last message repeated 3 times
May 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup
May 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033
II. Impact
III. Solution
Appendix A. - Vendor Information
Cray, Inc.
Cray, Inc. is not vulnerable since cachefs is not supported under Unicos
and Unicos/mk.
Fujitsu
UXP/V is not vulnerable, because it does not have Cachefs
and similar functionalities.
Hewlett-Packard
HP-UX is not vulnerable because it does not use cachefsd.
IBM
IBM's AIX operating system, all versions, is not vulnerable.
Nortel Networks
Nortel Networks products and solutions using the affected Sun Solaris
operating systems do not utilize the NFS/RPC file system cachefs
daemon. Nortel Networks recommends following the mitigating practices
in Sun Microsystems Inc.'s Alert Notification.; this will not impact
these Nortel Networks products and solutions.
North America: 1-8004NORTEL or 1-800-466-7835
Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907
9009
www.nortelnetworks.com/help/contact/global/
SGI
SGI does not ship with SUN cachefsd, so IRIX is not vulnerable.
Sun
See the Sun Alert Notification available at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309.
May 06, 2002: Initial release
May 06, 2002: Corrected CVE number and links
May 07, 2002: Added Hewlett-Packard vendor statement
May 07, 2002: Corrected credit statement
May 09, 2002: Corrected credit statement
May 09, 2002: Corrected CVE number and links
May 09, 2002: Removed AusCERT Advisory
May 13, 2002: Added Cray vendor statement
May 13, 2002: Added Nortel Networks vendor statement
May 14, 2002: Added Fujitsu vendor statement