Original release date: September 16, 1999<BR> Last revised: --<BR> Source: CERT/CC<BR> <P>A complete revision history is at the end of this file. <H3>Systems Affected</H3> <UL> <LI>Systems running <I>amd</I>, the Berkeley Automounter Daemon </UL> <H2><A NAME="description"></A>I. Description</H2> <P>There is a buffer overflow vulnerability in the logging facility of the <I>amd</I> daemon. <P>This daemon automatically mounts file systems in response to attempts to access files that reside on those file systems. Similar functionality on some systems is provided by a daemon named <I>automountd</I>. <P>Systems that include automounter daemons based on BSD 4.x source code may also be vulnerable. A vulnerable implementation of <I>amd</I> is included in the am-utils package, provided with many Linux distributions. <P> <H2><A NAME="impact"></A>II. Impact</H2> <P>Remote intruders can execute arbitrary code as the user running the <I>amd</I> daemon (usually root). <H2><A NAME="solution"></A>III. Solution</H2> <H4>Install a patch from your vendor</H4> <P>Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. <P>We will update this advisory as more information becomes available. Please check the CERT/CC Web site for the most current revision. <H4>Disable amd</H4> <P>If you are unable to apply a patch for this problem, you can disable the <I>amd</I> daemon to prevent this vulnerability from being exploited. Disabling <I>amd</I> may prevent your system from operating normally. <H2><A NAME="vendor"></A>Appendix A. Vendor Information</H2> <H4><U>BSDI</U></H4> BSD/OS 4.0.1 and 3.1 are both vulnerable to this problem if amd has been configured. The amd daemon is not started if it has not been configured locally. Mods (M410-017 for 4.0.1 and M310-057) are available via ftp from <A HREF="ftp://ftp.bsdi.com/bsdi/patches"> ftp://ftp.bsdi.com/bsdi/patches</A> or via our web site at <A HREF="http://www.bsdi.com/support/patches"> http://www.bsdi.com/support/patches</A> <H4><U>Compaq Computer Corporation</U></H4> <P>Not vulnerable <H4><U>Data General</U></H4> <P>DG/UX is not vulnerable to this problem. <H4><U>Erez Zadok (am-utils maintainer)</U></H4> The latest stable version of am-utils includes several important security fixes. To retrieve it, use anonymous ftp for the following URL <DL><DD> <A HREF="ftp://shekel.mcl.cs.columbia.edu/pub/am-utils/"> ftp://shekel.mcl.cs.columbia.edu/pub/am-utils/</A> </DL> <P>The MD5 checksum of the am-utils-6.0.1.tar.gz archive is <DL><DD> MD5 (am-utils-6.0.1.tar.gz) = ac33a4394d30efb4ca47880cc5703999 </DL> <P>The simplest instructions to build, install, and run am-utils are as follows: <OL> <LI>Retrieve the package via FTP. <P> <LI>Unpack it: <P>$ gunzip am-utils-6.0.1.tar.gz <BR>$ tar xf am-utils-6.0.1.tar <P>If you have GNU tar and gunzip, you can issue a single command: <P>$ tar xzf am-utils-6.0.1.tar.gz <P> <LI>Build it: <P>$ cd am-utils-6.0.1 <BR>$ ./buildall <P>This would configure and build am-utils for installation in /usr/local. If you built am-utils in the past using a different procedure, you may repeat that procedure instead. For example, to build am-utils using shared libraries and to enable debugging, use either: <P>$ ./buildall -Ds -b <BR>or <BR>$ ./configure --enable-debug=yes --enable-shared --disable-static <P>You may run "./configure --help" to get a full list of available options. You may run "./buildall -H" to get a full list of options it offers. The buildall script is a simple wrapper script that configures and builds am-utils for the most common desired configurations. <P> <LI>Install it: <P>$ make install <P>This would install the programs, scripts, libraries, manual pages, and info pages in /usr/local/{sbin,bin,lib,man,info}, etc. <P> <LI>Run it. <P>Assuming you have an Amd configuration file in /etc/amd.conf, you can simply run: <P>$ /usr/local/sbin/ctl-amd restart <P>That will stop the older running Amd, and start a new one. If you use a different Amd start-up script, you may use it instead. </OL> <H4><U>FreeBSD</U></H4> <P>Please see the FreeBSD advisory at <DL><DD> <A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-99:06.amd.asc"> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-99:06.amd.asc</A> </DL> for information on patches for this problem. <H4><U>Fujitsu</U></H4> This vulnerability is still under investigation by Fujitsu. <H4><U>Hewlett-Packard Company</U></H4> <P>HP is not vulnerable. <H4><U>IBM Corporation</U></H4> <P>AIX is not vulnerable. It does not ship the am-utils package. <H4><U>OpenBSD</U></H4> <P>OpenBSD is not vulnerable. <H4><U>RedHat Inc.</U></H4> <P>RedHat has released a security advisory on this topic. It is available from our ftp server at: <DL><DD> <A HREF="http://www.redhat.com/corp/support/errata/RHSA1999032_O1.html"> http://www.redhat.com/corp/support/errata/RHSA1999032_O1.html</A> </DL> <H4><U>SCO Unix</U></H4> <P>No SCO products are vulnerable. <H4><U>SGI</U></H4> <P>SGI does not distribute am-utils in either IRIX or UNICOS operating systems. <H4><U>Sun Microsystems, Inc.</U></H4> <P>SunOS - All versions are not vulnerable. <P>Solaris - All versions are not vulnerable. <HR NOSHADE> <P>The CERT Coordination Center would like to thank Erez Zadok, the maintainer of the am-utils package, for his assistance in preparing this advisory. <P><!--#include virtual="/include/footer_nocopyright.html" --></P> <P>Copyright 1999 Carnegie Mellon University.</P> <HR> Revision History <PRE> Sep 16, 1999: Initial release </PRE> |