The CERT/CC has begun receiving reports of an input validation vulnerability in the rpc.statd program being exploited. This program is included, and often installed by default, in several popular Linux distributions. Please see the vendors section of this document for specific information regarding affected distributions.
More information about this vulnerability is available at the following public URLs:
The rpc.statd program passes user-supplied data to the syslog() function as a format string. If there is no input validation of this string, a malicious user can inject machine code to be executed with the privileges of the rpc.statd process, typically root.
By exploiting this vulnerability, local or remote users may be able to execute arbitrary code with the privileges of the rpc.statd process, typically root.
Compaq Computer Corporation
This document was written by John Shaffer and Brian King.