Original issue date: June 9, 1999<BR>
Last revised: November 9, 1999<BR>
Added Vendor information for IBM Corporation.<BR>
Source: CERT/CC<BR>
<H3>Systems Affected</H3>
<P>Systems running older versions of rpc.statd and automountd
<H2>I. Description</H2>
<P>This advisory describes two vulnerabilities that are being used
together by intruders to gain access to vulnerable systems. The first
vulnerability is in rpc.statd, a program used to communicate state
changes among NFS clients and servers. The second vulnerability is in
automountd, a program used to automatically mount certain types of
file systems. Both of these vulnerabilities have been widely discussed
on public forums, such as
<A HREF="http://www.netspace.org/lsv-archive/bugtraq.html">
<B>BugTraq</B></A>, and some vendors have issued security advisories
related to the problems discussed here. Because of the number of
incident reports we have received, however, we are releasing this
advisory to call attention to these problems so that system and
network administrators who have not addressed these problems do so
immediately. For more information about attacks using various RPC
services please see CERT® Incident Note IN-99-04
<A HREF="http://www.cert.org/incident_notes/IN-99-04.html">
http://www.cert.org/incident_notes/IN-99-04.html</A>
<P>The vulnerability in rpc.statd allows an intruder to call arbitrary
rpc services with the privileges of the rpc.statd process. The called
rpc service may be a local service on the same machine or it may be a
network service on another machine. Although the form of the call is
constrained by rpc.statd, if the call is acceptable to another rpc
service, the other rpc service will act on the call as if it were an
authentic call from the rpc.statd process.
<P>The vulnerability in automountd allows a local intruder to execute
arbitrary commands with the privileges of the automountd process. This
vulnerability has been widely known for a significant period of time,
and patches have been available from vendors, but many systems remain
vulnerable because their administrators have not yet applied the
appropriate patches.
<P>By exploiting these two vulnerabilities simultaneously, a remote
intruder is able to "bounce" rpc calls from the rpc.statd
service to the automountd service on the same targeted
machine. Although on many systems the automountd service does not
normally accept traffic from the network, this combination of
vulnerabilities allows a remote intruder to execute arbitrary commands
with the administrative privileges of the automountd service,
typically root.
<P>Note that the rpc.statd vulnerability described in this advisory is
distinct from the vulnerabilities described in CERT Advisories
<a
href=http://www.cert.org/advisories/CA-96.09.rpc.statd.html>CA-96.09</a>
and <a href=http://www.cert.org/advisories/CA-97.26.statd.html>CA-97.26</a>.
<H2>II. Impact</H2>
<P>The vulnerability in rpc.statd may allow a remote intruder to call
arbitrary rpc services with the privileges of the rpc.statd process,
typically root. The vulnerablility in automountd may allow a local
intruder to execute arbitrary commands with the privileges of the
automountd service.
<P>By combining attacks exploiting these two vulnerabilities, a remote
intruder is able to execute arbitrary commands with the privileges of
the automountd service.
<H4>Note</H4>
<P>It may still be possible to cause rpc.statd to call other rpc services
even after applying patches which reduce the privileges of rpc.statd.
If there are additional vulnerabilities in other rpc services
(including services you have written), an intruder may be able to
exploit those vulnerabilities through rpc.statd. At the present time,
we are unaware of any such vulnerabilitity that may be exploited
through this mechanism.
<H2>III. Solutions</H2>
<B>Install a patch from your vendor</B>
<P>Appendix A contains input from vendors who have provided information
for this advisory. We will update the appendix as we receive more
information. If you do not see your vendor's name, the CERT/CC did not
hear from that vendor. Please contact your vendor directly.
<H3>Appendix A: Vendor Information</H3>
<B><U>Caldera</U></B><BR><br>
<dl><dd>
<P>Caldera's currently not shipping statd.
<P>
</dl>
<b><u>Compaq Computer Corporation</u></b><br><br>
<dl><dd>
(c) Copyright 1998, 1999 Compaq Computer Corporation.
All rights reserved.
<br>
SOURCE: Compaq Computer Corporation<br>
Compaq Services<br>
Software Security Response Team USA<br>
<br>
This reported problem has not been found to affect the as shipped,
Compaq's Tru64/UNIX Operating Systems Software.
<br>
- Compaq Computer Corporation
<P>
</dl>
<b><u>Data General</u></b><br><br>
<dl><dd>
<P>We are investigating. We will provide an update when our investigation
is complete.
<P>
</dl>
<B><U>Hewlett-Packard Company</U></B><BR><br>
<dl><dd>
HP is vulnerable to a remote attack against automountd.
<P>
Please see the following document for details on workarounds:<BR><br>
<dl><dd>
HPSBUX9910-104 Security Advisory regarding automountd<BR><br>
</dl>
<P>
Patch development is in progress.
<P>
</dl>
<B><U>IBM Corporation</U></B><BR><br>
<DL><DD>
<P>AIX is not vulnerable.
<P>IBM and AIX are registered trademarks of International Business
Machines Corporation.
<P>
</DL>
<b><u>The Santa Cruz Operation, Inc.</u></b><br><br>
<dl><dd>
No SCO products are vulnerable.
</dl>
<br>
<B><U>Silicon Graphics, Inc.</U></B><BR><br>
<dl><dd>
% IRIX <br><br>
<dl><dd>
% rpc.statd<br>
IRIX 6.2 and above ARE NOT vulnerable. <br>
IRIX 5.3 is vulnerable, but no longer supported.<br>
<br>
% automountd <br>
With patches from SGI Security Advisory 19981005-01-PX installed,<br>
IRIX 6.2 and above ARE NOT vulnerable.<br>
</dl>
<br>
% Unicos<br>
<br>
<dl><dd>
Currently, SGI is investigating and no further information is <br>
available for public release at this time.<br>
<br>
</dl>
As further information becomes available, additional advisories<br>
will be issued via the normal SGI security information distribution<br>
method including the wiretap mailing list.<br>
<br>
SGI Security Headquarters<br>
<a href="http://www.sgi.com/Support/security/">http://www.sgi.com/Support/security</a><br>
<P>
</dl>
<B><U>Sun Microsystems Inc.</U></B>
<DL><DD>
<P>
The following patches are available:<BR>
<BR>
rpc.statd:<BR>
<BR>
Patch OS Version<BR>
_____ __________<BR>
<BR>
106592-02 SunOS 5.6 <BR>
106593-02 SunOS 5.6_x86 <BR>
104166-04 SunOS 5.5.1 <BR>
104167-04 SunOS 5.5.1_x86 <BR>
103468-04 SunOS 5.5 <BR>
103469-05 SunOS 5.5_x86 <BR>
102769-07 SunOS 5.4 <BR>
102770-07 SunOS 5.4_x86 <BR>
102932-05 SunOS 5.3<BR>
<BR>
The fix for this vulnerability was integrated in SunOS 5.7 (Solaris 7)
before it was released.<BR>
<BR>
automountd:<BR>
<BR>
104654-05 SunOS 5.5.1 <BR>
104655-05 SunOS 5.5.1_x86 <BR>
103187-43 SunOS 5.5 <BR>
103188-43 SunOS 5.5_x86 <BR>
101945-61 SunOS 5.4 <BR>
101946-54 SunOS 5.4_x86 <BR>
101318-92 SunOS 5.3<BR>
<BR>
SunOS 5.6 (Solaris 2.6) and SunOS 5.7 (Solaris 7) are not vulnerable.<BR>
<BR>
Sun security patches are available at:<BR>
<A HREF="http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&nav=pub-patches">
http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&nav=pub-patches</A>
<P>
</dl>
<HR WIDTH="100%">
<P>Our thanks to Olaf Kirch of Caldera for his assistance in helping
us understand the problem and Chok Poh of Sun Microsystems for his
assistance in helping us construct this advisory.
<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>
<p>Copyright 1999 Carnegie Mellon University.</p>
<HR>
Revision History
<PRE>
October 22, 1999 Updated vendor information for Hewlett-Packard Company
July 22, 1999 Added link to IN-99-04 in the "Description" section.
November 9, 1999 Added vendor information for IBM Corporation.
</PRE>
|