Vulnerability Note VU#161931
Sun Solaris cachefsd vulnerable to stack overflow in fscache_setup() function
Sun's NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. An exploitable stack overflow exists in cachefsd that could permit a local attacker to execute arbitrary code with the privileges of the cachefsd, typically root.
After creating a local file on the system, an attacker can exploit a stack overflow in cachefsd to execute arbitrary code with the privileges of the cachefsd process, typically root. Sun Microsystems has released a Sun Alert Notification that addresses this issue as well as the issue described in VU#635811.
The Australian Computer Emergency Response Team has also issued an advisory related to incident activity exploiting cachefsd:
The eSecurityOnline team has also published a report on this vulnerability:
This issue is also being referenced as CAN-2002-0084:
An attacker can execute code with the privileges of the cachefsd process, typically root.
The CERT/CC is currently unaware of patches for this problem.
According to the Sun Alert Notification a workaround is as follows:
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Sun||Affected||-||09 May 2002|
|Cray||Not Affected||-||13 May 2002|
CVSS Metrics (Learn More)
Our thanks to AusCERT, eSecurityOnline, and the Sun Security Coordination Team, as well as Mark Dowd and Stephen James of IT Audit & Consulting for their analysis and reports about this vulnerability.
This document was written by Jason Rafail.
- CVE IDs: CAN-2002-0084
- Date Public: 30 Apr 2002
- Date First Published: 09 May 2002
- Date Last Updated: 13 May 2002
- Severity Metric: 22.84
- Document Revision: 12
If you have feedback, comments, or additional information about this vulnerability, please send us email.