There is an integer overflow present in the xdr_array() function distributed as part of the Sun Microsystems XDR library. This overflow has been shown to lead to remotely exploitable buffer overflows in multiple applications, leading to the execution of arbitrary code. Although the library was originally distributed by Sun Microsystems, multiple vendors have included the vulnerable code in their own implementations.
The XDR (external data representation) libraries are used to provide platform-independent methods for sending data from one system process to another, typically over a network connection. Such routines are commonly used in remote procedure call (RPC) implementations to provide transparency to application programmers who need to use common interfaces to interact with many different types of systems. The xdr_array() function in the XDR library provided by Sun Microsystems contains an integer overflow that can lead to improperly sized dynamic memory allocation. Subsequent problems like buffer overflows may result, depending on how and where the vulnerable xdr_array() function is used.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
Apply a patch from your vendor
Note this is an iterative process for each set of patches being applied.
Disable access to vulnerable services or applications
As a best practice, the CERT/CC recommends disabling all services that are not explicitly required.
Apple Computer, Inc. Affected
Debian Linux Affected
FreeBSD, Inc. Affected
GNU glibc Affected
Hewlett-Packard Company Affected
IBM Corporation Affected
MIT Kerberos Development Team Affected
Microsoft Corporation Affected
Openwall GNU/*/Linux Affected
Red Hat, Inc. Affected
Sun Microsystems, Inc. Affected
Xerox Corporation Affected
Juniper Networks, Inc. Not Affected
KTH Kerberos Not Affected
Network Appliance Not Affected
e-Security Inc. Not Affected
Cisco Systems, Inc. Unknown
Computer Associates Unknown
Cray Inc. Unknown
Data General Unknown
F5 Networks, Inc. Unknown
Guardian Digital Inc. Unknown
Lucent Technologies Unknown
Mandriva, Inc. Unknown
NEC Corporation Unknown
Nortel Networks, Inc. Unknown
SUSE Linux Unknown
Sequent Computer Systems, Inc. Unknown
Sony Corporation Unknown
The Open Group Unknown
The SCO Group (SCO Linux) Unknown
The SCO Group (SCO Unix) Unknown
Unisphere Networks Unknown
Wind River Systems, Inc. Unknown
Xi Graphics Unknown
Thanks to Sun Microsystems for working with the CERT/CC to make this document possible. The initial vulnerability research and demonstration was performed by Internet Security Systems (ISS).
This document was written by Jeffrey S. Havrilla.