Vulnerability Note VU#516825

Integer overflow in Sun RPC XDR library routines

Original Release date: 19 Mar 2003 | Last revised: 11 Feb 2004

Overview

The XDR library from Sun Microsystems is a widely used implementation for RPC services. Although the library was originally distributed by Sun Microsystems, multiple vendors have included the vulnerable code in their own implementations. Some implementations of standard functions in this API may contain an integer overflow.

Description

The XDR (external data representation) libraries are used to provide platform-independent methods for sending data from one system process to another, typically over a network connection. Such routines are commonly used in remote procedure call (RPC) implementations to provide transparency to application programmers who need to use common interfaces to interact with many different types of systems.

Some memory allocation routines in the XDR library provided by Sun Microsystems contain an integer overflow that can lead to improperly sized dynamic memory allocation. The length of the allocated buffer is interpreted as a signed integer, whereas the callers interpret the length as an unsigned integer. The xdrmem_getbytes() function is one example of where the flaw may occur. Subsequent problems like buffer overflows may result, depending on how and where the vulnerable xdrmem_getbytes() function is used. Other functions in the xdrmem_*() family may suffer from an identical error.

Researchers at eEye Digital Security discovered this vulnerability and have also published an advisory. This vulnerability is similar to, but distinct from, VU#192995.

Impact

Because Sun RPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information. Furthermore, because RPC services often run as root on affected systems, this vulnerability may be leveraged to gain remote root access on vulnerable systems.

Solution


Apply a patch from the vendor

Several vendors of relevant or derived implementations have released patches to address this vulnerability; please see the vendor section of this document for further details.


Workarounds

Disable access to vulnerable services or applications

Until patches are available and can be applied, you may wish to disable access to services or applications compiled with the vulnerable xdrmem_*() functions. As a best practice, the CERT/CC recommends disabling all services that are not explicitly required.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Compaq Computer CorporationAffected11 Dec 200218 Apr 2003
ConectivaAffected11 Dec 200209 May 2003
DebianAffected11 Dec 200209 Apr 2003
FreeBSDAffected11 Dec 200220 Mar 2003
Gentoo LinuxAffected-31 Mar 2003
GNU glibcAffected11 Dec 200221 Feb 2003
Guardian Digital Inc. Affected11 Dec 200221 Mar 2003
Hewlett-Packard CompanyAffected11 Dec 200211 Feb 2004
IBMAffected11 Dec 200218 Mar 2003
MandrakeSoftAffected11 Dec 200201 Apr 2003
MiT Kerberos Development TeamAffected11 Dec 200220 Mar 2003
NetBSDAffected11 Dec 200226 Mar 2003
Nortel NetworksAffected11 Dec 200209 Apr 2003
Red Hat Inc.Affected11 Dec 200202 Apr 2003
SGIAffected11 Dec 200209 Apr 2003
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Riley Hassell of eEye Digital Security for reporting this vulnerability.

This document was written by Chad R Dougherty and Jeffrey S Havrilla.

Other Information

  • CVE IDs: CAN-2003-0028
  • CERT Advisory: CA-2003-10
  • Date Public: 18 Mar 2003
  • Date First Published: 19 Mar 2003
  • Date Last Updated: 11 Feb 2004
  • Severity Metric: 12.02
  • Document Revision: 33

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.