View Source

Original issue date: October 12, 1998<BR>
Last revised: November 9, 1998<BR>
Added vendor information for IBM Corporation and Silicon Graphics Inc.<BR>
Updated information for Data General

<P>A complete revision history is at the end of this file.

<H3>Systems Affected</H3>

<P>NFS servers running certain implementations of mountd, primarily
Linux systems. On some systems, the vulnerable NFS server is enabled
by default. This vulnerability can be exploited even if the NFS server
does not share any file systems.

<P>See <A HREF="#Appendix A - Vendor">Appendix A</A> for information
from vendors. If your vendor's name does not appear, we did not hear
from that vendor.

<P>
<H3>Overview:</H3>

<P>NFS is a distributed file system in which clients make use of file
systems provided by servers. There is a vulnerability in some
implementations of the software that NFS servers use to log requests
to use file systems.

<P>When a client makes a request to use a file system and subsequently
makes that file system available as a local resource, the client is
said to "mount" the file system. The vulnerability lies in the
software on the NFS server that handles requests to mount file
systems. This software is usually called "mountd" or "rpc.mountd."

<P>Intruders who exploit the vulnerability are able to gain
administrative access to the vulnerable NFS file server. That is, they
can do anything the system administrator can do. This vulnerability
can be exploited remotely and does not require an account on the
target machine.

<P>On some vulnerable systems, the mountd software is installed and
enabled by default. <A HREF="#Appendix A - Vendor">See Appendix A</A>
for more information.

<P>We will update this advisory as we receive additional
information. Please check our advisory files regularly for updates
that relate to your site.

<P><HR>
<H2>I. Description</H2>

<P>NFS is used to share files among different computers over the
network using a client/server paradigm. When an NFS client computer
wishes to access files on an NFS server, the client must first make a
request to mount the file system. There is a vulnerability in some
implementations of the software that handles NFS mount requests (the
mountd program). Specifically, it is possible for an intruder to
overflow a buffer in the area of code responsible for logging NFS
activity.

<P>We have received reports indicating that intruders are actively
using this vulnerability to compromise systems and are engaging in
large-scale scans to locate vulnerable systems.

<P>On some systems, the vulnerable NFS server is enabled by
default. See the vendor information in <A HREF="#Appendix A - Vendor">
Appendix A</A>.

<H2>II. Impact</H2>

<P>After causing a buffer overflow, a remote intruder can use the
resulting condition to execute arbitrary code with root privileges.

<H2>III. Solution</H2>

<P>A. Install a patch from your vendor.

<P><A HREF="#Appendix A - Vendor">Appendix A</A> contains input from
vendors who have provided information for this advisory. We will
update the appendix as we receive more information. If you do not see
your vendor's name, the CERT/CC did not hear from that vendor. Please
contact your vendor directly.

<P>B. Until you install a patch, use the following workaround.

<P>Consider disabling NFS until you are able to install the
patch. In particular, since some systems have vulnerable versions of
mountd installed and enabled by default, we recommend you disable
mountd on those systems unless you are actively using those systems as
NFS servers.

<P><HR>

<H2><A NAME="Appendix A - Vendor"></A>Appendix A - Vendor Information</H2>
Below is a list of the vendors who have provided information for this advisory.
We will update this appendix as we receive additional information. If you
do not see your vendor's name, the CERT/CC did not hear from that vendor.
Please contact the vendor directly.

<P><B><U>Berkeley Software Design, Inc. (BSDI)</U></B>

<P>BSDI systems are not vulnerable to this attack.

<P><B><U>Caldera</U></B>

<P>Caldera provided a fixed version as nfs-server-2.2beta35-2 on Aug 28.
It is available from

<P><A HREF="ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/013">ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/013</A>

<P><TT>10fdb82ed8fd1b88c73fd962d8980bb4 RPMS/nfs-server-2.2beta35-2.i386.rpm<BR>
59e275b1ed6b98a39a38406f0415a226 RPMS/nfs-server-clients-2.2beta35-2.i386.rpm<BR>
6b075faf1d424e099c6932d95e76fd6b SRPMS/nfs-server-2.2beta35-2.src.rpm</TT>

<P><B><U>Compaq Computer Corporation</U></B>

<P>SOURCE: (c) Copyright 1994, 1995, 1996, 1997, 1998 Compaq Computer Corporation.
All rights reserved.
<BR>SOURCE: Compaq Computer Corporation Compaq Services Software Security
Response Team USA
<BR>x-ref: SSRT0574U mountd

<P>This reported problem is not present for the as shipped, Compaq's Digital
ULTRIX or Compaq's Digital UNIX Operating Systems Software.

<P>- Compaq Computer Corporation

<P><B><U>Data General Corporation</U></B>

<P>DG/UX is not vulnerable to this problem.

<P><B><U>FreeBSD, Inc</U></B>.

<P>FreeBSD 2.2.6 and above seem not be vulnerable to this exploit.

<P><B><U>Fujitsu Limited</U></B>

<P>Fujitsu's UXP/V operating system is not vulnerable.

<P><B><U>Hewlett-Packard Company</U></B>

<P>Not vulnerable.

<P><B><U>IBM Corporation</U></B>

<P>The version of rpc.mountd shipped with AIX is not vulnerable.
 
<P>IBM and AIX are registered trademarks of International Business Machines
Corporation.

<P><B><U>NCR</U></B>

<P>NCR is not vulnerable. We do not do any of the specified logging, nor
do we have mountd (or normally anything else) hanging on port 635.

<P><B><U>The NetBSD Project</U></B>

<P>NetBSD is not vulnerable to this attack in any configuration. Neither
the NFS server or mount daemon are enabled by default.

<P><B><U>The OpenBSD Project</U></B>

<P>OpenBSD is not affected.

<P><B><U>Red Hat Software, Inc.</U></B>

<P>All versions of Red Hat Linux are vulnerable, and we have provided fixed
packages for all our users. Updated nfs-server packages are available from
our site at <A HREF="http://www.redhat.com/support/docs/errata.html">http://www.redhat.com/support/docs/errata.html</A>

<P><B><U>The Santa Cruz Operation, Inc.</U></B>

<P>No SCO platforms are vulnerable.

<P><B><U>Silicon Graphics Inc.</U></B>

<P>Please refer to Silicon Graphics Inc. Security Advisory, "mountd Buffer
Overflow Vulnerability", Number: 19981006-01-I, distributed October 26, 1998
for additional information about this vulnerability.
 
<P>Silicon Graphics provides a comprehensive customer World Wide Web site.
This site is located at <A HREF="http://www.sgi.com/Support/security/security.html">http://www.sgi.com/Support/security/security.html</A>

<P><B><U>Sun Microsystems, Inc.</U></B>

<P>Sun's mountd is not affected.
<BR>
<HR>
<BR>

<B>Contributors</B>

<P>Our thanks to Olaf Kirch and Wolfgang Ley for their input and
assistance in constructing this advisory.

<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>

<p>Copyright 1998 Carnegie Mellon University.</p>



<HR>

Revision History
<PRE>
Nov.  9, 1998  Added vendor information for IBM and SGI
               Updated information for Data General

Oct. 21, 1998  Added vendor information for Berkeley Software Design, Inc.
</PRE>