View Source

Original release date: July 16, 1999<BR>
Last revised: January 7, 2000<BR>
Updated HP vendor information.<BR>
Source: CERT/CC<BR>

<P>A complete revision history is at the end of this file.

<H3>Systems Affected</H3>

<UL>
<LI>Systems running the Calendar Manager Service daemon, often named
rpc.cmsd
</UL>

<H2>I. Description</H2>

<P>A buffer overflow vulnerability has been discovered in the Calendar
Manager Service daemon, rpc.cmsd.  The rpc.cmsd daemon is frequently
distributed with the Common Desktop Environment (CDE) and Open
Windows.

<H2>II. Impact</H2>

<P>Remote and local users can execute arbitrary code with the
privileges of the rpc.cmsd daemon, typically root.  Under some
configurations rpc.cmsd runs with an effective userid of daemon,
while retaining root privileges.

<P>This vulnerability is being exploited in a significant number of
incidents reported to the CERT/CC.  An exploit script was posted to
BUGTRAQ. For more information about attacks using various RPC services
please see CERT&reg Incident Note IN-99-04 
<A HREF="http://www.cert.org/incident_notes/IN-99-04.html">
http://www.cert.org/incident_notes/IN-99-04.html</A>


<H2>III. Solution</H2>

<P><B>Install a patch from your vendor</B>

<P>Appendix A contains information provided by vendors for this
advisory. We will update the appendix as we receive more
information. If you do not see your vendor's name, the CERT/CC did not
hear from that vendor. Please contact your vendor directly.

<P>We will update this advisory as more information becomes available.
Please check the CERT/CC Web site for the most current revision.

<P><B>Disable the rpc.cmsd daemon</B>

<P>If you are unable to apply patches to correct this vulnerability,
you may wish to disable the rpc.cmsd daemon.  If you disable rpc.cmsd,
it may affect your ability to manage calendars.

<H3>Appendix A: Vendor Information</H3>

<B><U>Fujitsu</U></B><BR>
<DL><DD>
Fujitsu's UXP/V operating system is not vulnerable.
</DL>

<B><U>Hewlett-Packard Company</U></B><BR>
<DL><DD>
<P>Patches are available.  Please see the following document for details:

<P>HPSBUX9908-102   Security Vulnerability in rpc.cmsd
</DL>

<B><U>IBM Corporation</U></B><BR>
<DL><DD>
AIX is not vulnerable to the rpc.cmsd remote buffer overflow.<BR>
IBM and AIX are registered trademarks of International Business Machines Corporation.
</DL>

<B><U>Santa Cruz Operation, Inc.</U></B><BR>
<DL><DD>

<P>SCO is investigating this problem. The following SCO product contains CDE
and is potentially vulnerable:

<UL>
<LI>SCO UnixWare 7
</UL>

<P>The following SCO products do not contain CDE, and are therefore believed
not to be vulnerable:

<UL>
<LI>SCO UnixWare 2.1
<LI>SCO OpenServer 5
<LI>SCO Open Server 3.0
<LI>SCO CMW+
</UL>

<P>SCO will provide further information and patches if necessary as
soon as possible at
<A HREF="http://www.sco.com/security">http://www.sco.com/security</A>.

</DL>

<B><U>Silicon Graphics, Inc.</U></B><BR>
<DL><DD>

<P>IRIX does not have dtcm or rpc.cmsd and therefore is NOT vulnerable.

<P>UNICOS does not have dtcm or rpc.cmsd and therefore is NOT vulnerable.

</DL>

<B><U>Sun Microsystems, Inc.</U></B><BR>
<DL><DD>
The following patches are available:<BR>
  
<P>OpenWindows:

<PRE>
    SunOS version     Patch ID
    _____________     _________
    SunOS 5.5.1       104976-04
    SunOS 5.5.1_x86   105124-03
    SunOS 5.5         103251-09
    SunOS 5.5_x86     103273-07
    SunOS 5.3         101513-14
    SunOS 4.1.4       100523-25
    SunOS 4.1.3_U1    100523-25
</PRE>
    
<P>CDE:
  
<PRE>
    CDE version       Patch ID
    ___________       ________
    1.3               107022-03
    1.3_x86           107023-03
    1.2               105566-07
    1.2_x86           105567-08
</PRE>

<P>Patches for SunOS 5.4 and CDE 1.0.2 and 1.0.1 will be available within
a week of the release of this advisory.  
      
<P>Sun security patches are available at:

<P><A HREF="http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&nav=pubpatches">
http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&nav=pubpatches</A>

</DL>

<HR NOSHADE>

<P>The CERT Coordination Center would like to thank Chok Poh of Sun
Microsystems, David Brumley of Stanford University, and Elias Levy of
Security Focus for their assistance in preparing this advisory.

<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>

<p>Copyright 1999 Carnegie Mellon University.</p>

<HR>

Revision History
<PRE>
January 7, 2000  Updated HP vendor information
July 22, 1999  Added link to IN-99-04 in the "Impact" section
July 20, 1999  Updated the advisory title
July 16, 1999  Initial release
</PRE>