Original release date: December 11, 2002<br> Last revised: Tue Dec 17 14:43:22 EST 2002<br> Source: CERT/CC<br> <p>A complete revision history can be found at the end of this file.</p> <a name="affected"></a> <h3>Systems Affected</h3> <ul> <li>Sun Cobalt RaQ 4 Server Appliances with the Security Hardening Package installed</li> <li>Sun Cobalt RaQ 3 Server Appliances running the RaQ 4 build with the Security Hardening Package installed</li> </ul> <a name="overview"></a> <h2>Overview</h2> A remotely exploitable vulnerability has been discovered in <a href="http://www.sun.com/hardware/serverappliances/">Sun Cobalt RaQ Server Appliances</a> running Sun's <a href="http://www.sun.com/hardware/serverappliances/pdfs/support/RaQ_4_SHP_UG.pdf">Security Hardening Package (SHP)</a>. Exploitation of this vulnerability may allow remote attackers to execute arbitrary code with superuser privileges. <br> <a name="description"></a> <h2>I. Description</h2> <p> Cobalt RaQ is a Sun Server Appliance. Sun provides a Security Hardening Package (SHP) for Cobalt RaQs. Although the SHP is not installed by default, many users choose to install it on their RaQ servers. For background information on the SHP, please see the <a href="http://www.sun.com/hardware/serverappliances/pdfs/support/RaQ_4_SHP_UG.pdf">SHP RaQ 4 User Guide</a>. <p> A vulnerability in the SHP may allow a remote attacker to execute arbitrary code on a Cobalt RaQ Server Appliance. The vulnerability occurs in a cgi script that does not properly filter input. Specifically, <i>overflow.cgi</i> does not adequately filter input destined for the <i>email</i> variable. Because of this flaw, an attacker can use a POST request to fill the <i>email</i> variable with arbitrary commands. The attacker can then call <i>overflow.cgi</i>, which will allow the command the attacker filled the <i>email</i> variable with to be executed with superuser privileges. <p> An exploit is publicly available and may be circulating. <p> Further information about this vulnerability may be found in <a href="http://www.kb.cert.org/vuls/id/810921">VU#810921</a> in the <a href="http://www.kb.cert.org/vuls">CERT/CC Vulnerability Notes Database</a>. <a name="impact"></a> <h2>II. Impact</h2> <p> A remote attacker may be able to execute arbitrary code on a Cobalt RaQ Server Appliance with the SHP installed. <br> <a name="solution"></a> <h2>III. Solution</h2> <h4>Apply a patch from your vendor</h4> <p> <a href="#vendors">Appendix A</a> contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly. </p> <a name="workarounds"></a> <h4>Workarounds</h4> Block access to the Cobalt RaQ administrative httpd server (typically ports 81/TCP and 444/TCP) at your network perimeter. Note that this will not protect vulnerable hosts within your network perimeter. It is important to understand your network configuration and service requirements before deciding what changes are appropriate. <a name="caveats"></a> <h4>Caveats</h4> <p>The patch supplied by Sun removes the SHP completely. If your operation requires the use of the SHP, you may need to find a suitable alternative. </p> <BR> <a name="vendors"></a> <h2>Appendix A. - Vendor Information</h2> <a name="sun"></a> <h4>Sun Microsystems</h4> Sun confirms that a remote root exploit does affect the Sun/Cobalt RaQ4 platform if the SHP (Security Hardening Patch) patch was installed.<br> <br> Sun has released a Sun Alert which describes how to remove the SHP patch:<br> <br> <a href="http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/49377">http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/49377</a><br> <br> The removal patch is available from:<br> <br> <a href="http://ftp.cobalt.sun.com/pub/packages/raq4/eng/RaQ4-en-Security-2.0.1-SHP_REM.pkg">http://ftp.cobalt.sun.com/pub/packages/raq4/eng/RaQ4-en-Security-2.0.1-SHP_REM.pkg</a> <!-- end vendor --> <a name="references"> <H2>Appendix B. - References</H2> <OL> <li><a name="ref1"> <P>CERT/CC Vulnerability Note: VU#810921 - <A HREF="http://www.kb.cert.org/vuls/id/810921">http://www.kb.cert.org/vuls/id/810921</a> <li><a name="ref2"> <P>Sun SHP RaQ 4 User Guide - <A HREF="http://www.sun.com/hardware/serverappliances/pdfs/support/RaQ_4_SHP_UG.pdf">http://www.sun.com/hardware/serverappliances/pdfs/support/RaQ_4_SHP_UG.pdf</a> <li><a name="ref3"> <P>COBALT RaQ 4 User Manual - <A HREF="http://www.sun.com/hardware/serverappliances/pdfs/manuals/manual.raq4.pdf">http://www.sun.com/hardware/serverappliances/pdfs/manuals/manual.raq4.pdf</a> </OL> <hr noshade> <p>grazer@digit-labs.org publicly <A HREF="http://online.securityfocus.com/archive/1/302259">reported</a> this vulnerability. <hr noshade> <p>Author: <a href="mailto:cert@cert.org?subject=CA-2002-35%20Feedback%20VU%23810921">Ian A. Finlay</a>. <p></p> <!--#include virtual="/include/footer_nocopyright.html" --> <p>Copyright 2002 Carnegie Mellon University.</p> <p>Revision History <pre> December 11, 2002: Initial release December 16, 2002: Added information stating RaQ 3 Server Appliances are vulnerable as well (with SHP installed) December 16, 2002: Revised systems affected section </pre> </p> |