Sun's NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. An exploitable stack overflow exists in cachefsd that could permit a local attacker to execute arbitrary code with the privileges of the cachefsd, typically root.
After creating a local file on the system, an attacker can exploit a stack overflow in cachefsd to execute arbitrary code with the privileges of the cachefsd process, typically root. Sun Microsystems has released a Sun Alert Notification that addresses this issue as well as the issue described in VU#635811.
The Australian Computer Emergency Response Team has also issued an advisory related to incident activity exploiting cachefsd:
The eSecurityOnline team has also published a report on this vulnerability:
This issue is also being referenced as CAN-2002-0084:
An attacker can execute code with the privileges of the cachefsd process, typically root.
The CERT/CC is currently unaware of patches for this problem.
According to the Sun Alert Notification a workaround is as follows:
Our thanks to AusCERT, eSecurityOnline, and the Sun Security Coordination Team, as well as Mark Dowd and Stephen James of IT Audit & Consulting for their analysis and reports about this vulnerability.
This document was written by Jason Rafail.
|Date First Published:||2002-05-09|
|Date Last Updated:||2002-05-13 20:34 UTC|