SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#516825

Integer overflow in Sun RPC XDR library routines

Overview

The XDR library from Sun Microsystems is a widely used implementation for RPC services. Although the library was originally distributed by Sun Microsystems, multiple vendors have included the vulnerable code in their own implementations. Some implementations of standard functions in this API may contain an integer overflow.

I. Description

The XDR (external data representation) libraries are used to provide platform-independent methods for sending data from one system process to another, typically over a network connection. Such routines are commonly used in remote procedure call (RPC) implementations to provide transparency to application programmers who need to use common interfaces to interact with many different types of systems.

Some memory allocation routines in the XDR library provided by Sun Microsystems contain an integer overflow that can lead to improperly sized dynamic memory allocation. The length of the allocated buffer is interpreted as a signed integer, whereas the callers interpret the length as an unsigned integer. The xdrmem_getbytes() function is one example of where the flaw may occur. Subsequent problems like buffer overflows may result, depending on how and where the vulnerable xdrmem_getbytes() function is used. Other functions in the xdrmem_*() family may suffer from an identical error.

Researchers at eEye Digital Security discovered this vulnerability and have also published an advisory. This vulnerability is similar to, but distinct from, VU#192995.

II. Impact

Because Sun RPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information. Furthermore, because RPC services often run as root on affected systems, this vulnerability may be leveraged to gain remote root access on vulnerable systems.

III. Solution

Apply a patch from the vendor

Several vendors of relevant or derived implementations have released patches to address this vulnerability; please see the vendor section of this document for further details.

Workarounds

Disable access to vulnerable services or applications

Until patches are available and can be applied, you may wish to disable access to services or applications compiled with the vulnerable xdrmem_*() functions. As a best practice, the CERT/CC recommends disabling all services that are not explicitly required.

Systems Affected

VendorStatusDate NotifiedDate Updated
3ComUnknown18-Feb-2003
AlcatelUnknown18-Feb-2003
Apple Computer Inc.Not Vulnerable21-Feb-2003
AT&TUnknown18-Feb-2003
AvayaUnknown18-Feb-2003
BSDIUnknown18-Feb-2003
Cisco Systems Inc.Unknown18-Feb-2003
Compaq Computer CorporationVulnerable18-Apr-2003
Computer AssociatesUnknown18-Feb-2003
ConectivaVulnerable9-May-2003
Cray Inc.Unknown21-Feb-2003
D-Link SystemsUnknown18-Feb-2003
Data GeneralUnknown18-Feb-2003
DebianVulnerable9-Apr-2003
F5 NetworksUnknown18-Feb-2003
Foundry Networks Inc.Unknown18-Feb-2003
FreeBSDVulnerable20-Mar-2003
FujitsuUnknown21-Feb-2003
Gentoo LinuxVulnerable31-Mar-2003
GNU glibcVulnerable21-Feb-2003
Guardian Digital Inc. Vulnerable21-Mar-2003
Heimdal Kerberos ProjectUnknown18-Feb-2003
Hewlett-Packard CompanyVulnerable11-Feb-2004
HitachiNot Vulnerable20-Mar-2003
IBMVulnerable18-Mar-2003
IBM-zSeriesUnknown18-Feb-2003
Ingrian NetworksNot Vulnerable10-Mar-2003
IntelUnknown18-Feb-2003
Juniper NetworksUnknown18-Feb-2003
KTH Kerberos Development TeamUnknown18-Feb-2003
Lotus SoftwareUnknown18-Feb-2003
Lucent TechnologiesUnknown18-Feb-2003
MandrakeSoftVulnerable1-Apr-2003
Microsoft CorporationUnknown18-Feb-2003
MiT Kerberos Development TeamVulnerable20-Mar-2003
MontaVista SoftwareUnknown18-Feb-2003
MultinetUnknown18-Feb-2003
NEC CorporationNot Vulnerable7-Mar-2003
NetBSDVulnerable26-Mar-2003
NetScreenUnknown18-Feb-2003
Network ApplianceNot Vulnerable18-Mar-2003
NeXTUnknown18-Feb-2003
NokiaNot Vulnerable21-Feb-2003
Nortel NetworksVulnerable9-Apr-2003
Open GroupUnknown18-Feb-2003
OpenAFSUnknown21-Feb-2003
OpenBSDUnknown18-Feb-2003
Openwall GNU/*/LinuxUnknown24-Mar-2003
Oracle CorporationUnknown18-Feb-2003
Red Hat Inc.Vulnerable2-Apr-2003
Redback Networks Inc.Unknown21-Feb-2003
Riverstone NetworksUnknown20-Feb-2003
RSA SecurityUnknown18-Feb-2003
SequentUnknown18-Feb-2003
SGIVulnerable9-Apr-2003
SlackwareVulnerable23-May-2003
Sony CorporationUnknown18-Feb-2003
StonesoftVulnerable21-May-2003
Sun Microsystems Inc.Vulnerable18-Mar-2003
SuSE Inc.Vulnerable28-May-2003
The SCO Group (SCO Linux)Vulnerable20-Mar-2003
The SCO Group (SCO UnixWare)Vulnerable20-Mar-2003
Top Layer NetworksNot Vulnerable1-Apr-2003
TrustixVulnerable27-Mar-2003
TurboLinuxVulnerable12-Aug-2003
UnisysUnknown18-Feb-2003
Wind River Systems Inc.Unknown18-Feb-2003
WirexVulnerable17-Apr-2003
Xerox CorporationVulnerable9-May-2003
Xi GraphicsUnknown18-Feb-2003

References


http://www.eeye.com/html/Research/Advisories/AD20030318.html
http://www.ietf.org/rfc/rfc1831.txt
http://www.ietf.org/rfc/rfc1832.txt

Credit

Thanks to Riley Hassell of eEye Digital Security for reporting this vulnerability.

This document was written by Chad R Dougherty and Jeffrey S Havrilla.

Other Information

Date Public:2003-03-18
Date First Published:2003-03-19
Date Last Updated:2004-02-11
CERT Advisory:CA-2003-10
CVE-ID(s):CAN-2003-0028
NVD-ID(s):CAN-2003-0028
US-CERT Technical Alerts: 
Metric:12.02
Document Revision:33

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader