Original release date: May 06, 2002<BR> Last revised: May 14, 2002<BR> Source: CERT/CC<BR> <P>A complete revision history can be found at the end of this file. <A NAME="affected"> <H3>Systems Affected</H3> <UL> <LI>Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures)</LI> </UL> <A NAME="overview"> <H2>Overview</H2> <P>Sun's NFS/RPC file system cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). A remotely exploitable vulnerability exists in cachefsd that could permit a remote attacker to execute arbitrary code with the privileges of the cachefsd, typically root. The CERT/CC has received credible reports of scanning and exploitation of Solaris systems running cachefsd. <A NAME="description"> <H2>I. Description</H2> <p>A remotely exploitable heap overflow exists in the cachefsd program shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. A remote attacker can send a crafted RPC request to the cachefsd program to exploit the vulnerability. <p>Logs of exploitation attempts may resemble the following: <pre> May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped May 16 22:46:21 victim-host last message repeated 7 times May 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped May 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped May 16 22:46:59 victim-host last message repeated 1 time May 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped May 16 22:47:07 victim-host last message repeated 3 times May 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup May 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped </pre> <p>Sun Microsystems has released a <a href="http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309">Sun Alert Notification</a> which addresses this issue as well as the issue described in <a href="http://www.kb.cert.org/vuls/id/161931">VU#161931</a>. <p>According to the <a href="http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309">Sun Alert Notification</a>, failed attempts to exploit this vulnerability may leave a core dump file in the root directory. The presence of the <i>core</i> file does not preclude the success of subsequent attacks. Additionally, if the file <i>/etc/cachefstab</i> exists, it may contain unusual entries. <p>This issue is also being referenced as <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033">CAN-2002-0033</a>: <blockquote> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033</a> </blockquote> <A NAME="impact"> <H2>II. Impact</H2> <p>A remote attacker may be able to execute code with the privileges of the cachefsd process, typically root. <A NAME="solution"> <H2>III. Solution</H2> <p><b>Apply a patch from your vendor</b></p> <P><A HREF="#vendors">Appendix A</A> contains information provided by vendors for this advisory. <p>If a patch is not available, disable cachefsd in <i>inetd.conf</i> until a patch can be applied. <p>If disabling the cachefsd is not an option, follow the suggested workaround in the <a href="http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309">Sun Alert Notification</a>. <A NAME="vendors"> <H2>Appendix A. - Vendor Information</H2> <P>This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, please check the <a href="http://www.kb.cert.org/vuls/id/635811">Vulnerability Note (VU#635811)</a> or contact your vendor directly.</P> <!-- start vendor --> <A NAME="cray"> <H4><a href="http://www.cray.com">Cray, Inc.</a></H4> <blockquote> Cray, Inc. is not vulnerable since cachefs is not supported under Unicos and Unicos/mk. </blockquote> <!-- end vendor --> <A NAME="fujitsu"> <H4><a href="http://www.fujitsu.com">Fujitsu</a></H4> <blockquote> UXP/V is not vulnerable, because it does not have Cachefs and similar functionalities. </blockquote> <!-- end vendor --> <!-- start vendor --> <A NAME="hp"> <H4><a href="http://www.hp.com">Hewlett-Packard</a></H4> <blockquote> HP-UX is not vulnerable because it does not use cachefsd. </blockquote> <!-- end vendor --> <!-- start vendor --> <A NAME="ibm"> <H4><a href="http://www.ibm.com">IBM</a></H4> <blockquote> IBM's AIX operating system, all versions, is not vulnerable. </blockquote> <!-- end vendor --> <!-- start vendor --> <A NAME="nortel"> <H4><a href="http://www.nortelnetworks.com">Nortel Networks</a></H4> <blockquote> Nortel Networks products and solutions using the affected Sun Solaris operating systems do not utilize the NFS/RPC file system cachefs daemon. Nortel Networks recommends following the mitigating practices in Sun Microsystems Inc.'s Alert Notification.; this will not impact these Nortel Networks products and solutions. <p>For more information please contact Nortel at: <blockquote> North America: 1-8004NORTEL or 1-800-466-7835 <br>Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009 </blockquote> <p>Contacts for other regions are available at <blockquote> <a href="http://www.nortelnetworks.com/help/contact/global/">www.nortelnetworks.com/help/contact/global/</a> </blockquote> </blockquote> <!-- end vendor --> <!-- start vendor --> <A NAME="sgi"> <H4><a href="http://www.sgi.com">SGI</a></H4> <blockquote> SGI does not ship with SUN cachefsd, so IRIX is not vulnerable. </blockquote> <!-- end vendor --> <!-- start vendor --> <A NAME="sun"> <H4><a href="http://www.sun.com">Sun</a></H4> <blockquote> See the Sun Alert Notification available at <a href="http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309">http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309</a>. </blockquote> <!-- end vendor --> <hr> <P> The CERT/CC acknowledges the Last Stage of Delirium Team for discovering and reporting on this vulnerability and thanks Sun Microsystems for their technical assistance.</P> <HR NOSHADE> <P>Feedback can be directed to the authors: <A HREF="mailto:cert@cert.org?subject=CA-2002-11%20Feedback%20VU%23635811">Jason A. Rafail and Jeffrey S. Havrilla</A> <P></P> <!--#include virtual="/include/footer_nocopyright.html" --> <P>Copyright 2002 Carnegie Mellon University.</P> <P>Revision History <PRE> May 06, 2002: Initial release May 06, 2002: Corrected CVE number and links May 07, 2002: Added Hewlett-Packard vendor statement May 07, 2002: Corrected credit statement May 09, 2002: Corrected credit statement May 09, 2002: Corrected CVE number and links May 09, 2002: Removed AusCERT Advisory May 13, 2002: Added Cray vendor statement May 13, 2002: Added Nortel Networks vendor statement May 14, 2002: Added Fujitsu vendor statement </PRE> |