Original issue date: April 24, 1996<BR>
Last revised: December 5, 1997<BR>
Added information for NCR Corporation.
<P>A complete revision history is at the end of this file.
<P>The CERT Coordination Center has received reports of a vulnerability
in rpc.statd (rpc.statd is also known as statd on some systems). We
have received reports of this vulnerability being exploited.
<P>If exploited, this vulnerability can be used to remove any file that the root
user can remove or to create any file that the root user can create.
<P>Section III and Appendix A contain information from vendors. Appendix B
contains an example of a possible workaround.
<P>We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.
<P><HR>
<H2>I. Description</H2>
rpc.statd, also called statd, is the NFS file-locking status monitor. It
interacts with rpc.lockd, also called lockd, to provide the crash and
recovery functions for file locking across NFS.
<P>Note that rpc.lockd and rpc.statd work together; if either is running,
both must run.
<P>rpc.lockd and rpc.statd can be safely turned off on a machine if that
machine is neither an NFS client nor an NFS server. Consult your
system documentation to learn how to turn these services off and not
restart them when a system is rebooted.
<P>If a machine where rpc.lockd and rpc.statd have been disabled becomes
either an NFS server or an NFS client, then both rpc.lockd and
rpc.statd should be turned back on.
<P>NFS is stateless, which means that NFS clients and servers can be
rebooted without a loss of file integrity due to NFS. In contrast, NFS
file locking is stateful. To achieve this stateful nature in a stateless
environment, rpc.lockd must work with rpc.statd to add state to file
locking.
<P>To understand what rpc.statd does, it is first necessary to understand
what rpc.lockd does. rpc.lockd processes lock requests that are sent
either locally by the kernel or remotely by another lock daemon.
rpc.lockd forwards lock requests for remote NFS files to the NFS server's
lock daemon using Remote Procedure Calls (RPC).
<P>rpc.lockd then requests monitoring service from the status monitor
daemon, rpc.statd, running on the NFS server. Monitoring services are
needed because file locks are maintained in the NFS server kernel. In
the event of a system crash or reboot, all NFS locks would normally be
lost. It is rpc.statd that adds stateful file locking.
<P>When an NFS server reboots, rpc.statd causes the previously held locks
to be recovered by notifying the NFS client lock daemons to resubmit
previously granted lock requests. If a lock daemon fails to secure a
previously granted lock on the NFS server, it sends SIGLOST to the
process that originally requested the file lock.
<P>The vulnerability in rpc.statd is its lack of validation of the
information it receives from what is presumed to be the remote rpc.lockd.
Because rpc.statd normally runs as root and because it does not validate
this information, rpc.statd can be made to remove or create any file that
the root user can remove or create on the NFS server.
<P>
<H2>II. Impact</H2>
Any file that root could remove can be removed by rpc.statd. Any file
that root could create can be created by rpc.statd, albeit with mode 200.
<H2>III. Solution</H2>
The general solution to this problem is to replace the rpc.statd daemon
with one that validates the information sent to it by the remote
rpc.lockd. We recommend that you install a patch from your vendor if
possible. If a patch is not available for your system, we recommend
contacting your vendor and requesting that a patch be developed as soon
as possible. In the meantime, consider whether the information in
Appendix B is applicable to your site.
<H4>Vendor Information</H4>
Below is a list of vendors who have provided information. Details are in
Appendix A of this advisory. We will update the advisory as we receive
more information.
<P>Berkeley Software Design, Inc.<BR>
Cray Research, Inc.<BR>
Data General Corporation<BR>
Harris Computer Systems Corp.<BR>
Hewlett-Packard Company<BR>
IBM Corporation<BR>
NCR Corporation<BR>
NEC Corporation<BR>
NeXT Software, Inc.<BR>
The Santa Cruz Operation<BR>
Silicon Graphics. Inc.<BR>
Sony Corporation<BR>
Sun Microsystems, Inc.<BR>
TGV/Cisco Systems, Inc.
<P>If your vendor's name is not on this list, please contact the vendor
directly.
<P><HR>
<H2>Appendix A: Vendor Information</H2>
Below is information we have received from vendors concerning the
vulnerability described in this advisory. If you do not see your vendor's
name, please contact the vendor directly for information.
<P>
<H3>Apple Computer, Inc.</H3>
<BR>
<H4>A/UX</H4>
An upgrade to A/UX version 3.1 (and 3.1.1) for this vulnerability is
available. The upgrade replaces the rpc.statd binary with a new, improved
version. It is available via anonymous FTP from ftp.support.apple.com:
<P>pub/apple_sw_updates/US/Unix/A_UX/supported/3.x/rpc.statd/rpc.statd.Z
<P>Uncompress(1) this file and replace the existing version in /etc.
Modify the entry for rpc.statd in /etc/inittab to "respawn" instead of "wait".
<BR>Kill the running rpc.statd and restart.
<P>Earlier versions of A/UX are not supported by this patch. Users of
previous versions are encouraged to update their system or disable rpc.statd.
<H4>AIX for the Apple Network Server</H4>
An upgrade to AIX version 4.1.4 for the Network Server which resolves
this vulnerability is available. The PTF replaces the rpc.statd binary
and related programs with new, improved versions.
<P>To determine if you already have APAR IX55931 on your system, run the
following command:
<P>instfix -ik IX55931
<P>Or run the following command:
<P>lslpp -h bos.net.nfs.client
<P>Your version of bos.net.nfs.client should be 4.1.4.7 or later.
<P>The PTF for this APAR is available via anonymous FTP from<BR>
ftp.support.apple.com:
<P>pub/apple_sw_updates/US/Unix/AIX/supported/4.1/bos.net.nfs.client.bff
<P>Place this file in /usr/sys/inst.images or another directory of your choice.
To install the PTF, start smit using the following fast path:
<UL>
# smit install_selectable
</UL>
<P>Select the menu item "Install Fileset Updates by Fix" and provide the
name of the directory in which the PTF was placed. Enter OK and in the
next dialog, enter the APAR number, IX55931, in the "FIXES" item. For
information about the other options in this dialog, see the manual page
for<I> installp(1)</I>. Enter OK, exit smit and restart the system.
<P>Customers should contact their reseller for any additional information.
<P>
<H3>Berkeley Software Design, Inc.</H3>
BSD/OS is not vulnerable.
<H3>Cray Research, Inc.</H3>
This problem has been tracked with SPR 99983 and reported<BR>
with Field notice 2107. Since statd is only available on 9.0 systems
fixes have been provided for UNICOS 9.0 and higher.
<H3>Data General Corporation</H3>
Data General has fixed this vulnerability in DG/UX R4.11 Maintenance
Update 2 (R4.11MU02).
<H3>Digital Equipment Corporation</H3>
For updated information, please refer to the Digital Equipment
Corporation Vendor Bulletin #96.0383, available in
<P>
<A HREF=ftp://ftp.cert.org/pub/vendors/dec/dec_96.0383>ftp://ftp.cert.org/pub/vendors/dec/dec_96.0383</A>
<P>Note: Non-contract/non-warranty customers should contact
local Digital support channels for information
regarding these kits.
<P>As always, Digital urges you to periodically review your system
management and security procedures. Digital will continue to review
and enhance the security features of its products and work with
customers to maintain and improve the security and integrity of their
systems.
<H3>Harris Computer Systems Corporation</H3>
All versions of NightHawk CX/SX and CyberGuard CX/SX are not vulnerable.
<P>All versions of NightHawk CX/UX and PowerUX are vulnerable.<BR>
Users are advised, until patches are available, to use the workaround
in the advisory.
<H3>Hewlett-Packard Company</H3>
The rpc.statd daemon that ships with HP systems contains a
vulnerability that could allow a remote user to delete files
on the system running rpc.statd.
<P>Hewlett Packard is delivering a set of operating system dependent
patches which contain a new version of rpc.statd. Accompanying
each patch is a README file which discusses the general purpose
of the patch and describes how to apply it to your system.
<P>Recommended solution:
<P>Apply one of the following patches based on your system hardware
and operating system revision:
<UL>
s300/s400 9.X - PHNE_7372 (rpc.statd)<BR>
s700/s800 9.X - PHNE_7072 (NFS Megapatch)<BR>
s700/s800 10.X - PHNE_7073 (NFS Megapatch)</UL>
<P>The patches described above provide a new version of the
rpc.statd executable which fixes the vulnerability.
<P>To subscribe to automatically receive future NEW HP Security
Bulletins please refer to information in
<BR>
<A HREF=ftp://ftp.cert.org/pub/vendors/hp/HP.contact_info>ftp://ftp.cert.org/pub/vendors/hp/HP.contact_info</A>
<H3>IBM Corporation</H3>
See the appropriate release below to determine your action.
<H4>AIX 3.2</H4>
Apply the following fix to your system:
<P>APAR - IX56056 (PTF - U441411)
<P>To determine if you have this PTF on your system, run the following
command:
<P>lslpp -lB U441411
<H4>AIX 4.1</H4>
Apply the following fix to your system:
<P>APAR - IX55931
<P>To determine if you have this APAR on your system, run the following
command:
<P>instfix -ik IX55931
<P>Or run the following command:
<P>lslpp -h bos.net.nfs.client
<P
Your version of bos.net.nfs.client should be 4.1.4.7 or later.
<H4>To Order</H4>
APARs may be ordered using FixDist or from the IBM Support Center.
For more information on FixDist, reference URL:
<P>
<A HREF=http://service.software.ibm.com/aixsupport/>http://service.software.ibm.com/aixsupport/</A>
<P>or send e-mail to
<P>
<A HREF=mailto:aixserv@austin.ibm.com>aixserv@austin.ibm.com</A>
with a subject of "FixDist".
<H3>NCR Corporation</H3>
The statd binary that shipped with some older NCR MP-RAS SVR4
releases contains a vulnerability that could allow a remote user to
create or delete files on a server running statd.
<P>NCR is delivering a set of operating system dependent patches which
contain a new version of statd. Accompanying each patch is a README
file which discusses the general purpose of the patch and describes how to
apply it to your system.
<P>Recommended solution:
<P>Apply one of the following patches based on your operating system
revision:
<P>MP-RAS 2.03.x - PNFS203 (Version after 7/26-96)<BR>
MP-RAS 3.00.x - PNFS300 (Version after 8/19-96)<BR>
MP-RAS 3.01.x and later - Not vulnerable<BR>
<P>The patches described above provide a new version of the statd
executable, which fixes the vulnerability.
<P>
<H3>NEC Corporation</H3>
Some systems are vulnerable and patches are available through
anonymous FTP from <A HREF=ftp://ftp.meshnet.or.jp>ftp://ftp.meshnet.or.jp</A>.
<P>
<TABLE BORDER="0" WIDTH="100%">
<TR>
<TD VALIGN=TOP>UP-UX/V (Rel4.2MP)</TD>
<TD VALIGN=TOP> R5.x</TD>
<TD> NECu5s003.COM.pkg
<BR>/pub/48pub/security/up/r5/pkg
<BR>Results of sum = 3060 266
<BR>md5 = 79E626B99A55FB0DBCE6EE642874570A</TD>
</TR><TR>
<TD></TD>
<TD VALIGN=TOP> R6.x</TD>
<TD> NECu6s003.COM.pkg
<BR>/pub/48pub/security/up/r6/pkg
<BR>Results of sum = 47304 272
<BR>md5 = 9FC9E993A5AB51291BF4817D3D70FBFD
</TR>
<TR>
<TD></TD>
<TD VALIGN=TOP> R7.x</TD>
<TD>NECu7s003.COM.pkg
<BR>/pub/48pub/security/up/r7/pkg
<BR>Results of sum = 46470 291
<BR>md5 = 59CA6887078AF88EA165AFD3BF5A1374
</TR>
<TR>
<TD VALIGN=TOP>EWS-UX/V (Rel4.2)</TD>
<TD VALIGN=TOP> R7.X</TD>
<TD>NECe7s004.COM.pkg
<BR>/pub/48pub/security/ews/r7/pkg
<BR>Results of sum = 3827 194
<BR>md5 = 4D40D9258DAB7EA41C30789609818330
</TD></TR>
<TR>
<TD></TD>
<TD VALIGN=TOP>R8.x</TD>
<TD> NECe8s004.COM.pkg
<BR>/pub/48pub/security/ews/r8/pkg
<BR>Results of sum = 24399 199
<BR>md5 = 40B4CB1140791C14D1B604B6E8CB5FCB
</TD></TR>
<TR>
<TD></TD>
<TD VALIGN=TOP>R9.x<BR>(except EWS4800/110N)</TD>
<TD>NECe9s008.COM.pkg
<BR>/pub/48pub/security/ews/r9/pkg
<BR>Results of sum = 23250 203
<BR>md5 = 5AD8BED137AAE7D0067EF3120574786C
</TD></TR>
<TR>
<TD></TD>
<TD VALIGN=TOP>R9.x<BR>(EWS4800/110N)</TD>
<TD>NECe9s007.COM.pkg
<BR>/pub/48pub/security/ews/r9n/pkg
<BR>Results of sum = 3972 201
<BR>md5 = 28B2FA99F5200F81C5465571EF27E08B</TD>
</TR>
<TR>
<TD></TD>
<TD VALIGN=TOP>R10.x</TD>
<TD>NECeas004.COM.pkg
<BR>/pub/48pub/security/ews/ran/pkg
<BR>Results of sum = 51969 205
<BR>md5 = B6E12017E66DC8DC38FBE78CA1F0B0F0</TD>
</TR>
<TR>
<TD VALIGN=TOP>EWS-UX/V (Rel4.2MP)</TD>
<TD VALIGN=TOP> R10.x</TD>
<TD> NECmas007.COM.pkg
<BR>/pub/48pub/security/ews/ra/pkg
<BR>Results of sum = 48060 291
<BR>md5 = 42F8AE832071F033E21D8718A3670D76</TD>
</TR>
<TR>
<TD VALIGN=TOP>UX/480O</TD>
<TD VALIGN=TOP>R11.x</TD>
<TD>NECmbs010.COM.pkg
<BR>/pub/48pub/security/ews/rb/pkg
<BR>Results of sum = 24885 335
<BR>md5 = 7A14CBE4EA9B2470E340B5EEFD523F95
</TD>
</TR>
</TABLE>
<BR>For further information contact: <A HREF="mailto:UX48-security-support@nec.co.jp">UX48-security-support@nec.co.jp</A>
. We encourage you contact the vendor directly if you have any questions.
<H3>NeXT Software, Inc.</H3>
This vulnerability will be fixed in release 4.0 of OpenStep for Mach,
scheduled for 2Q96.
<H3>The Santa Cruz Operation, Inc.</H3>
These are not vulnerable:
<P>SCO UnixWare 2.x.<BR>
SCO OpenServer 3.0, 5<BR>
SCO Open Desktop 2.x, 3.x<BR>
SCO NFS 1.x.x.
<H3>Silicon Graphics, Inc.</H3>
All versions of IRIX earlier than 6.2 are vulnerable.
<P>IRIX 6.2 is not vulnerable.
<P>The the most current information appears in
<P>
<A HREF=ftp://sgigate.sgi.com/security/19960301-01-P>ftp://sgigate.sgi.com/security/19960301-01-P</A>
<H3>Sony Corporation</H3>
<P>
<PRE>
NEWS-OS 4.2.1 vulnerable; Patch 0124 [rpc.statd] is available.
NEWS-OS 6.0.3 vulnerable; Patch SONYP6063 [lockd/statd 2] is
available.
NEWS-OS 6.1 vulnerable; Patch SONYP6176 [lockd/statd] is
available.
NEWS-OS 6.1.1 vulnerable; Patch SONYP6207 [lockd/statd] is
available.
Patches are available via anonymous FTP in the
/pub/patch/news-os/un-official directory on
ftp1.sony.co.jp [202.238.80.18]:
4.2.1a+/0124.doc describes about patch 0124 [rpc.statd]
4.2.1a+/0124_C.pch patch for NEWS-OS 4.2.1C/a+C
4.2.1a+/0124_R.pch patch for NEWS-OS 4.2.1R/RN/RD/aRD/aRS/a+R
6.0.3/SONYP6063.doc describes about patch SONYP6063 [lockd/statd 2]
6.0.3/SONYP6063.pch patch for NEWS-OS 6.0.3
6.1/SONYP6176.doc describes about patch SONYP6176 [lockd/statd]
6.1/SONYP6176.pch patch for NEWS-OS 6.1
6.1.1/SONYP6207.doc describes about patch SONYP6207 [lockd/statd]
6.1.1/SONYP6207.pch patch for NEWS-OS 6.1.1
</PRE>
<P>If you need further information, contact your dealer.
<H3>Sun Microsystems, Inc.</H3>
The following patches are now available to fix the vulnerabilities in
rpc.statd. More details are in Sun Microsystems Security Bulletin #00135,
dated May 21, 1996.
<H3>A. Solaris 2.x (SunOS 5.x) patches</H3>
Patches which replace the affected statd executable are available
for every supported version of SunOS 5.x.
<P>
<TABLE BORDER="0">
<TR><TD> OS version</TD><TD> Patch ID</TD></TR>
<TR><TD><HR WIDTH="60"></TD><TD><HR WIDTH="60"></TD></TR>
<TR><TD> SunOS 5.3</TD><TD> 102932-02</TD></TR>
<TR><TD> SunOS 5.4</TD><TD>102769-03</TD></TR>
<TR><TD> Sun0S 5.4_X86</TD><TD>102770-03</TD></TR>
<TR><TD>SunOS 5.5</TD><TD> 103468-01</TD></TR>
<TR><TD>SunOS 5.5_X86</TD><TD> 103469-01</TD></TR>
</TABLE>
<H3>B. Solaris 1.x (SunOS 4.1.x) patches</H3>
For SunOS 4.1.x, the fix is supplied in a new version of the "UFS
file system and NFS locking" jumbo patch.
<P><TABLE BORDER="0">
<TR><TD> OS version</TD><TD> Patch ID</TD></TR>
<TR><TD><HR WIDTH="60"></TD><TD><HR WIDTH="60"></TD></TR>
<TR><TD> SunOS 4.1.3 </TD><TD> 100988-05</TD></TR>
<TR><TD> SunOS 4.1.3_U1</TD><TD> 101592-07</TD></TR>
<TR><TD> SunOS 4.1.4 </TD><TD>102516-04</TD></TR>
</TABLE>
<P>In the checksum table we show the BSD and SVR4 checksums and MD5 digital
signatures for the compressed tar archives.
<P>In the checksum table we show the BSD and SVR4 checksums and MD5 digital
signatures for the compressed tar archives.
<P>
<PRE>
File BSD SVR4 MD5<BR>
Name Checksum Checksum Digital Signature
--------------- ----------- --------- --------------------------------
100988-05.tar.Z 10148 444 4116 888 ACE925E808A582D6CF9209FE7A51D23B
101592-07.tar.Z 21219 346 32757 692 7B7EE4BD5B2692249FDB9178746AA71B
102516-04.tar.Z 65418 201 61604 401 DB87F3DDA2F12FE2CFBB8B56874A1756
102769-03.tar.Z 38936 74 64202 148 9A8E4D9BE8C58FD532EE0E2140EF7F85
102770-03.tar.Z 04518 71 23051 141 F646E2B7AD66EEFBB32F6AB630796AF8
102932-02.tar.Z 34664 70 45816 139 66CB7F6AE48784A884BA658186268C41
103468-01.tar.Z 30917 82 46790 164 84680D9A0D2AEF62FFE1382C82684BE5
103469-01.tar.Z 31245 82 52288 164 F22AEB0FD91687DAB8ADC4DF10348DE8
</PRE>
<P>The checksums shown above are from the BSD-based checksum (on 4.1.x,
/bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version on
on SunOS 5.x (/usr/bin/sum).
<P>Customers with Sun support contracts can obtain patches from:
<P>- SunSolve Online<BR>
- Local Sun answer centers, worldwide<BR>
- SunSITEs worldwide
<P>The patches are available via World Wide Web at <A HREF=http://sunsolve1.sun.com>http://sunsolve1.sun.com</A>.
<P>Customers without support contracts may now obtain security patches,
"recommended" patches, and patch lists via SunSolve Online.
<H3>TGV/Cisco Systems, Inc.</H3>
Cisco MultiNet for OpenVMS is not vulnerable.
<HR>
<H2>Appendix B: Example Workaround Scenario</H2>
The information given below was provided to the CERT/CC by Wolfgang Ley
of DFN-CERT. It is reproduced here as an example of how to run the statd
daemon as a user other than root on a Solaris system. This workaround
may not be directly applicable on other vendor's systems, but an analogous
solution may be possible. Please contact your vendor for assistance.
<P>The statd daemon under Solaris 2.4 and 2.5 starts without problems
if the following steps are taken.
<P>1) Go into single user mode (ensure rpcbind and statd are not running)
<BR>
2) Create a new user, e.g., "statd" with a separate uid/gid
<BR>
3) Chown statd /var/statmon/* /var/statmon/*/*
<BR>
4) Chgrp statd /var/statmon/* /var/statmon/*/*
<BR>
5) Edit /etc/init.d/nfs.client startup script and change the start of the
statd from:
<PRE>
/usr/lib/nfs/statd > /dev/console 2>&1
</PRE>
to:
<PRE>
/usr/bin/su - statd -c "/usr/lib/nfs/statd" > /dev/console 2>&1
</PRE>
6) Reboot the system
<P>
<P><HR>
<P>The CERT Coordination Center thanks Andrew Gross of the San Diego
Supercomputer Center for reporting this problem and Wolfgang Ley of DFN-CERT
for his support in responding to this problem.
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1996 Carnegie Mellon University.</P>
<HR>
Revision History
<PRE>
Dec. 5, 1997 Appendix A - Added for NCR Corporation.
Sep. 24, 1997 Updated copyright statement
Nov. 12, 1996 Appendix A, SGI - replaced a URL with a pointer to updated
information.
Sep. 18, 1996 Revised opening paragraph.
Aug. 30, 1996 Information previously in the README was inserted into the
advisory.
Appendix A, IBM - put a new URL in the "To Order" section.
Appendix A, Sun - removed a workaround for SunOS 4.x (patches now
available).
Aug. 01, 1996 Appendix A, Hewlett-Packard - updated information.
July 26, 1996 Appendix A, NEC - added patch information.
July 5, 1996 Appendix A, Digital - added pointer to updated vendor
information.
July 1, 1996 Appendix A, SGI - added pointer to release notes.
May 23, 1996 Appendix A, Sun - added pointer to patches.
May 10, 1996 Sec. I - added clarification about disabling rpc.lockd and
rpc.statd.
Appendix A, TGV/Cisco Systems - added an entry.
Appendix A, Sun - added a workaround.
</PRE>
|