Notified: July 30, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: September 20, 2002
Affected
The vulnerability described in this note is fixed with Security Updates 2002-08-02 and 2002-08-23.
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE----- Security Update 2002-08-23 is now available. This applies the fixes already available in Security Update 2002-08-02 to the Mac OS X 10.2 (Jaguar) release. Security Update 2002-08-02 was designed for the Mac OS X 10.1.5 release. It contains fixes for recent vulnerabilities in: OpenSSL: Fixes security vulnerabilities CAN-2002-0656, CAN-2002-0657, CAN-2002-0655, and CAN-2002-0659. Details are available via: http://www.cert.org/advisories/CA-2002-23.html mod_ssl: Fixes CAN-2002-0653, an off-by-one buffer overflow in the mod_ssl Apache module. Details are available via: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0653 Sun RPC: Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR decoder. Details are available via: http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823 Affected systems: Mac OS X client and Mac OS X Server Note: Mac OS X client is configured by default to have these services turned off, and is only vulnerable if the user has enabled network services which rely on the affected components. It is still recommended for Mac OS X client users to apply this security update to their system. System requirements: Mac OS X 10.2 (Jaguar) Security Update 2002-08-23 may be obtained from: * Software Update pane in System Preferences * Apple's Software Downloads web site: http://www.info.apple.com/kbnum/n120142 To help verify the integrity of Security Update 2002-08-23 from the Software Downloads web site: The download file is titled: SecurityUpd2002-08-23.dmg Its SHA-1 digest is: fccb3adb478f90650f4484534a79a80bba5f94f3 Information will also be posted to the Apple Product Security web site: http://www.apple.com/support/security/security_updates.html This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/security_pgp.html -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.3 iQEVAwUBPWad3SFlYNdE6F9oAQHuIQf9GdW2n/r7di2U8c4jQU+3JvRtU+HG7Lsl jlKRVNGyaMvUAurxbYB/yHfHcYDtsj26bupzLUpLXbIt54uZxyXo6UTExzpwreaT r+UJm7+q9kG6lcAmrcz2WNzlnD6icXKKuyf/hR8NUo3yBP7MoR6QGjvFqodvTOHR J2YXH8AEPAmWFf511AzbG1yYvlDhocZ+/gBFTlaB3nYt11Edz2yRE4qeumQYEIyf gLFxzp1BVFNDJck66WjPWgHqDuq9QWPBzHl1qhd09ctD84w+Hda972dqxRn08Jo7 jTGs2zmUpyPxLxCHEd5uzRNuMquIoddW2Nsg8LeJNHqRDlklVSJTUA== =CJ2Y -----END PGP SIGNATURE----- ---- Original Message ---- From: Product Security Date: Fri 8/2/02 20:02 To: security-announce@lists.apple.com Subject: Security Update 2002-08-02 for OpenSSL, Sun RPC, mod_ssl -----BEGIN PGP SIGNED MESSAGE----- Security Update 2002-08-02 is now available. It contains fixes for recent vulnerabilities in: OpenSSL: Fixes security vulnerabilities CAN-2002-0656, CAN-2002-0657, CAN-2002-0655, and CAN-2002-0659. Details are available via: http://www.cert.org/advisories/CA-2002-23.html mod_ssl: Fixes CAN-2002-0653, an off-by-one buffer overflow in the mod_ssl Apache module. Details are available via: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0653 Sun RPC: Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR decoder. Details are available via: http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823 Affected systems: Mac OS X client and Mac OS X Server Note: Mac OS X client is configured by default to have these services turned off, and is only vulnerable if the user has enabled network services which rely on the affected components. It is still recommended for Mac OS X client users to apply this security update to their system. System requirements: Mac OS X 10.1.5 Security Update 2002-08-02 may be obtained from: * Software Update pane in System Preferences * Apple's Software Downloads web site: http://docs.info.apple.com/article.html?artnum=120139 SSL server: https://depot.info.apple.com/security/129403bc5e184e3b7367.html To help verify the integrity of Security Update 2002-08-02 from the Software Downloads web site: The download file is titled: SecurityUpd2002-08-02.dmg Its SHA-1 digest is: 54f6eebe0398181db8f1129403bc5e184e3b7367 Information will also be posted to the Apple Product Security web site: http://www.apple.com/support/security/security_updates.html This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/security_pgp.html -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.3 iQEVAwUBPUsLOiFlYNdE6F9oAQGAigf+JV+lazuko1g4oZSNFTd2puXCtOGQ0M8c 2cZ/BdaEBA8jLGrPkhWuvmMwpN9z6G9chnN8s9EXiavcBG5e/ejtTo3ZHoOGP7bg 789zLQLK2JTB75nc0fNyx2CdfHlEIM00v8c2jXySLlnqF+kzwqVnjUL7i2O97Fk5 tWXLc2dWK2Nf2SUk0/yLgfjceZKEPCPXTpuKYuah/w9NwzL+LsbPcfXA/H1f4ngc vRPc2sn2HYu9IJw/BrMEsDlS8IWHf6ozXdZ9qaVCVRrZlsd9gSSmB2Jba4be/MRX FauTTepMF9+JfCkx+2wtpwWhBcXoJnjwIZXOXwbbRjqXHmzzgu8D/Q== =fdGO -----END PGP SIGNATURE----- security-announce mailing list | security-announce@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security- announce Do not post admin requests to the list. They will be ignored.
Notified: July 30, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 30, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 30, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: August 01, 2002
Unknown
Cray Inc. is still investigating this issue. Concerned customers can refer to Cray SPR 722876 for details.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: August 06, 2002
Affected
The Debian GNU/Linux distribution was vulnerable with regard to the the XDR problem as stated above with the following vulnerability matrix: OpenAFS Kerberos5 GNU lib Debian 2.2 (potato) not included not included vulnerable Debian 3.0 (woody) vulnerable (DSA 142-1) vulnerable (DSA 143-1) vulnerable Debian unstable (sid) vulnerable (DSA 142-1) vulnerable (DSA 143-1) vulnerable However, the following advisories were raised recently which contain and announced fixes: DSA 142-1 OpenAFS (safe version are: 1.2.3final2-6 (woody) and 1.2.6-1 (sid)) DSA 143-1 Kerberos5 (safe version are: 1.2.4-5woody1 (woody) and 1.2.5-2 (sid)) The advisory for the GNU libc is pending, it is currently being recompiled. The fixed versions will probably be: Debian 2.2 (potato) glibc 2.1.3-23 or later Debian 3.0 (woody) glibc 2.2.5-11.1 or later Debian unstable (sid) glibc 2.2.5-12 or later
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: August 06, 2002
Not Affected
Not Vulnerable
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 30, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: August 01, 2002
Affected
Please see ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:34.rpc.asc
The vendor has not provided us with any further information regarding this vulnerability.
Note this is a REVISED advisory pointing to patches correct on 07/31/2002.
Notified: July 29, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 31, 2002 Updated: August 06, 2002
Affected
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Version 2.2.5 and earlier versions of the GNU C Library are
vulnerable. For Version 2.2.5, we suggest the following patch. This patch is also available from the GNU C Library CVS repository at: http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_array.c.diff?r1=1.5&r2=1.5.2.1&cvsroot=glibc 2002-08-02 Jakub Jelinek
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: August 01, 2002
Affected
SOURCE: Hewlett-Packard Company RE: Potential RPC XDR buffer overflow At the time of writing this document, Hewlett Packard is currently investigating the potential impact to HP's released perating System software products. As further information becomes available HP will provide notice f the availability of any necessary patches through>standard security bulletin announcements and be vailable from your normal HP Services support channel.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: September 03, 2002
Affected
IBM is vulnerable to the above XDR Library issues in both the 4.3 and 5.1 releases of AIX. A temporary patch is currently available through an efix pacakge. Efixes are available from ftp.software.ibm.com/aix/efixes/security See the README file in this directory for additional information on the efixes. The following APARs will be available in the near future: [
] AIX 4.3.3: APAR #IY34194 ( available approx 10/1/2002 ) AIX 5.1.0: APAR #IY34158 ( available approx 10/16/2002 ) []
The vendor has not provided us with any further information regarding this vulnerability.
Previously on 08/06/2002 IBM stated: [
] IBM has analyzed AIX with regard to the XDR vulnerability and found that the 4.3.3 and 5.1.0 releases are exposed. We are currently working on an efix package for this issue which will be available shortly. We will update this statement when more information once the efixes are available. []
Notified: July 30, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 30, 2002 Updated: August 01, 2002
Not Affected
The Juniper Networks SDX-300 Service Deployment System (SSC) does use XDR for communication with an ERX edge router, but does not make use of the Sun RPC libraries. The SDX-300 product is not vulnerable to the Sun RPC XDR buffer overflow as outlined in this CERT advisory.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: August 02, 2002 Updated: August 05, 2002
Not Affected
kth-krb and heimdal are not vulnerable to this problem since they do not use any Sun RPC at all.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 30, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: October 03, 2002
Affected
Microsoft is currently conducting an investigation based on this report. We will update this advisory with information once it is complete.
The vendor has not provided us with any further information regarding this vulnerability.
Please see http://www.microsoft.com/technet/security/bulletin/ms02-057.asp Statement date: 10/2/2002 6:13:15 PM -----BEGIN PGP SIGNED MESSAGE----- Title: Flaw in Services for Unix 3.0 Interix SDK Could Allow Code Execution (Q329209) Released: 02 October 2002 Software: Services for Unix 3.0 Interix SDK Impact: Buffer overrun and denial of service Max Risk: Moderate Bulletin: MS02-057 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-057.asp. Issue: All three vulnerabilities discussed in this bulletin involve the inclusion of the Sun [TM] Microsystems RPC library in Microsoft's Services for UNIX (SFU) 3.0 on the Interix SDK. Developers who created applications or utilities using the Sun RPC library from the Interix SDK need to evaluate three vulnerabilities. Windows Services for UNIX (SFU) 3.0 provides a full range of cross- platform services to integrate Windows into existing UNIX environ- ments. In version 3.0, the Interix subsystem technology is built in so that Windows Services for UNIX 3.0 can provide platform inter- operability and application migration in one fully integrated and supported product from Microsoft. Developers who have integrated Windows into their existing UNIX environments may have used the Interix SDK to develop custom applications and utilities so that applications that only ran on the UNIX platform can now run in a Windows environment. Developers who used the Interix SDK to develop applications or utilities should read this bulletin. The first vulnerability is an integer overflow in the XDR library that ships with the Sun RPC library on the Interix SDK for Microsoft's Services for Unix (SFU) 3.0. An attacker could send a malicious RPC request to the RPC server from a remote machine and cause corruption in the server program. This can cause the server to fail and potentially allow the attacker to run code of his or her choice in the context of the server program. The second vulnerability is a buffer overrun. An attacker could send a malicious RPC request to the RPC server with an improper parameter size check. This could lead to a buffer overrun, causing the server to fail and preventing it from servicing any further requests from clients. The third vulnerability is an RPC implementation error. An app- Lication using the Sun RPC library does not properly check the size of client TCP requests. This could result in a denial of service to a server application using the Sun RPC library. The RPC library expects client TCP requests to specify the size of the record that follows. Because there is a flaw in the way RPC detects client packets, an attacker could send a malformed RPC request to the RPC server from a remote machine and cause the server to fail by not servicing any further client requests. After applying the patch, it is necessary to recompile any Interix application that is statically linked with the Interix SDK Sun RPC library. Mitigating Factors: * Only applications or utilities that were created using the Interix SDK and specifically that use the Sun RPC library, would be affected by these vulnerabilities. * If an administrator or developer has only installed the Interix SDK but has not actually created applications with the SDK that use the Sun RPC library, the systems where the SDK was installed would not be vulnerable. Risk Rating: - Internet systems: Moderate - Intranet systems: Moderate - Client systems: Moderate Patch Availability: - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-057.asp for information on obtaining this patch. THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPZtve40ZSRQxA/UrAQHdXgf/ejvlfeHIg3/qqRNVr05cITb88aElEzmS 54vEwb1h9YXhMzMBwm4nXyFLcG97wxJdWSUFkqKx8gzQtlJazOzCFHCKKCC1wU3Y teNZJY0D/xEgkRTaYeeEIqNqTq6646M4dHmhFlyfLPLz5Ak50lpeGAk3ZyMPnfl8 uhypyBCy+1CmuxQE3RNMHw2Orz5jIwKWVYRjhfgQH11U537rCCW2cePadxYoDVpz VyR1iHTDo5bvZa7101qMb06rftijbAKRF4049USw14dd6v/0FxxmjfXu2w9ECL1U zwvrt8MaOWRPw/vt+kbF7kRFIDSUVuTN4xlf2kSC+zIOKdluvelhgw== =Y+ML -----END PGP SIGNATURE-----
Notified: August 02, 2002 Updated: August 02, 2002
Affected
Please see http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt The patch is available directly: http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt The following detached PGP signature should be used to verify the authenticity and integrity of the patch: http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt.asc
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE----- MIT krb5 Security Advisory 2002-001 2002-08-02 Topic: Remote root vulnerability in MIT krb5 admin system Severity: Remote user may be able to gain root access to a KDC host. SUMMARY There is an integer overflow bug in the SUNRPC-derived RPC library used by the Kerberos 5 administration system that could be exploited to gain unauthorized root access to a KDC host. It is believed that the attacker needs to be able to authenticate to the kadmin daemon for this attack to be successful. No exploits are known to exist yet. IMPACT A remote attacker can potentially execute arbitrary code on the KDC with the privileges of the user running the kadmin daemon (usually root). This can lead to compromise of the Kerberos database. AFFECTED SOFTWARE All releases of MIT Kerberos 5, up to and including krb5-1.2.5. FIXES Apply the following patch to src/lib/rpc/xdr_array.c: Index: xdr_array.c RCS file: /cvs/krbdev/krb5/src/lib/rpc/xdr_array.c,v retrieving revision 1.5 diff -c -r1.5 xdr_array.c *** xdr_array.c 1998/02/14 02:27:23 1.5 - --- xdr_array.c 2002/08/02 17:25:05 *** 75,81 **** return (FALSE); c = *sizep; ! if ((c > maxsize) && (xdrs->x_op != XDR_FREE)) { return (FALSE); nodesize = c * elsize; - --- 75,82 ---- return (FALSE); c = *sizep; ! if ((c > maxsize || c > LASTUNSIGNED / elsize) ! && (xdrs->x_op != XDR_FREE)) { return (FALSE); nodesize = c * elsize; and rebuild your tree. The patch was generated against krb5-1.2.5; patches to other releases may apply with some offset. This patch may also be found at: http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt The associated detached PGP signature is at: http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt.asc This announcement and code patches related to it may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/www/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/www/index.html ACKNOWLEDGMENTS Thanks to ISS for discovery of the vulnerability. Thanks to Jeffrey Hutzelman for assistance in discovering the particulars of this bug. DETAILS The xdr_array() decoder computes the value of the NODESIZE variable in a way that can lead to integer overflow. An attacker can construct an XDR encoding that will take advantage of this integer overflow in order to overflow the allocated heap buffer, depending on the specifics of the caller of the xdr_array() function. The uses of xdr_array() in the kadm5 library, which implements the Kerberos 5 adminstration protocol, are unsafe in an environment where this bug exists. A remote user may be able to use the buffer overflow to execute arbitrary code on the KDC host, possibly leading to unauthorized root access. It is believed that the remote user must first successfully authenticate to the kadmin daemon in order to exercise this vulnerability, though the user may not need to posess any special privileges. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (SunOS) iQCVAwUBPUrNEqbDgE/zdoE9AQHSPgQAlGS7HO8TZ1BHwek+niF5hA7exEt9Z8IA fvxGpqirHciJQTfmBUiJhXhCTqosFgftQzt9KyvXmfMS3InZxAEmB7ahkevuBYkO FvfWyA3Ew8J3bGhBJis1xTMFebb1N0crDH3rRjUGZApQ7uJNZ+9nQo41+P0+z3uD yqpAbP9HTnw= =MqNV -----END PGP SIGNATURE-----
Notified: July 29, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: September 20, 2002
Affected
Please see ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-011 Topic: Sun RPC XDR decoder contains buffer overflow Version: NetBSD-current: source prior to August 1, 2002 NetBSD-1.6 beta: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: affected severity: Possible remote root compromise if RPC services are enabled Fixed: NetBSD-current: August 1, 2002 NetBSD-1.6 branch: August 2, 2002 (1.6 includes the fix) NetBSD-1.5 branch: August 1, 2002 NetBSD-1.4 branch: not yet Abstract Integer overflows exist in the RPC code in libc. These cause a buffer to be mistakenly allocated too small, and then overflown. The Automounter amd(8) and its query tool amq(8), and the rusers(1) client binary use the flawed code in a way which could be exploitable. Other uses of the RPC functions have been examined and are believed to not be exploitable. No RPC-based services are enabled by default. Technical Details Sun RPC is a remote procedure call framework which allows clients to invoke procedures in a server process over a network somewhat transparently. XDR is a mechanism for encoding data structures for use with RPC. NFS, NIS, and many other network services are built upon Sun RPC. The NetBSD C runtime library (libc) contains an XDR encoder/decoder derived from Sun's RPC implementation. Any application using Sun RPC may be vulnerable to a heap buffer overflow. Depending upon the application, this vulnerability may be exploitable and lead to arbitrary code execution. An error in the calculation of memory needed for unpacking arrays in the XDR decoder can result in a heap buffer overflow. Though no exploits are known to exist currently, RPC-based services often run as the superuser, and the vulnerability in amd(8) could be exploitable. Again, no RPC-based services are enabled by default. Solutions and Workarounds The recent NetBSD 1.6 release is not vulnerable to this issue. A full upgrade to NetBSD 1.6 is the recommended resolution for all users able to do so. Many security-related improvements have been made, and indeed this release has been delayed several times in order to include fixes for a number of recent issues. If you do not run any of the affected RPC services (amd/amq/rusers) your system is not affected. However, we suggest you upgrade your system to avoid running vulnerable RPC code by mistake. The following instructions describe how to upgrade your libc (which includes RPC code) by updating your source tree and rebuilding and installing a new version of libc. Note that if you have any statically-linked binaries that uses RPC, you need to recompile them. * NetBSD-current: Systems running NetBSD-current dated from before 2002-08-01 should be upgraded to NetBSD-current dated 2002-08-01 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): lib/libc/rpc To update from CVS, re-build, and re-install libc: # cd src # cvs update -d -P lib/libc/rpc # cd lib/libc # make cleandir dependall # make install * NetBSD 1.6 beta: Systems running NetBSD 1.6 BETAs and Release Candidates should be upgraded to the NetBSD 1.6 release. If a source-based point upgrade is required, sources from the NetBSD 1.6 branch dated 2002-08-02 or later should be used. The following directories need to be updated from the netbsd-1-6 CVS branch: lib/libc/rpc To update from CVS, re-build, and re-install libc: # cd src # cvs update -d -P -r netbsd-1-6 lib/libc/rpc # cd lib/libc # make cleandir dependall # make install * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: Systems running NetBSD-1.5 branch dated from before 2002-08-02 should be upgraded to NetBSD-1.5 branch dated 2002-08-02 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: lib/libc/rpc To update from CVS, re-build, and re-install libc: # cd src # cvs update -d -P -r netbsd-1-5 lib/libc/rpc # cd lib/libc # make cleandir dependall # make install * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3: The advisory will be updated to include instructions to remedy this problem for systems running the NetBSD-1.4 branch. Thanks To CERT for notification. Charles Hannum for scope analysis and commentary. FreeBSD security-officers. Parts of the advisory text are based on the FreeBSD advisory. The NetBSD Release Engineering teams, for great patience and assistance in dealing with repeated security issues discovered recently. Revision History 2002-08-01 Initial release 2002-08-02 1.5/1.6 branch info 2002-09-16 Re-release with updated information More Information An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-011.txt,v 1.13 2002/09/16 05:17:55 dan Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPYVqKj5Ru2/4N2IFAQGEYAP+K1lgLUVy/CrmvtRikjSv5UKYY4pAWAca fKwDpVlp/5q3kSc/b5NY7bgi7gUPVvbaW1v/PgfRIA47PBtAt7juvsnEDIO6IJ8M 9rDwfrikYdShm0R5ejxyIfu1CwjD9gWOvJ2xYGQ7XW67tLPG3udwa1B1UhWeQTnK 9OhEncw7mcw= =YcPw -----END PGP SIGNATURE-----
Notified: July 30, 2002 Updated: August 02, 2002
Not Affected
NetApp systems are not vulnerable to this problem.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 30, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: August 05, 2002
Affected
Please see http://www.openafs.org/pages/security/OPENAFS-SA-2002-001.txt
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE----- OpenAFS Security Advisory 2002-001 Topic: Remote root vulnerability in OpenAFS servers Issued: 03-Aug-2002 Last Update: 03-Aug-2002 Severity: High Affected: OpenAFS 1.0 - 1.2.5, OpenAFS 1.3.0 - 1.3.2 A remote user may be able to gain root access to an OpenAFS database server or fileserver host. In addition, certain administrative clients may be attacked if they make requests to a rogue server. SUMMARY There is an integer overflow bug in the SUNRPC-derived RPC library used by OpenAFS that could be exploited to crash certain OpenAFS servers (volserver, vlserver, ptserver, buserver) or to obtain unauthorized root access to a host running one of these processes. In addition, it is possible for a rogue server to attack certain administrative clients (vos, pts, backup, butc, rxstat), but only if certain RPC requests are made to the rogue server. The OpenAFS fileserver and cache manager (client) are not vulnerable to these attacks. No exploits are presently known to be available for this vulnerability. IMPACT A remote attacker can potentially execute arbitrary code on an OpenAFS server host with the privileges of the user running the OpenAFS server processes (usually root). This can lead to compromise of the OpenAFS administrative databases, data stored on a compromised server, or possible root access on a server host. Once a server host has been compromised, the attacker is able to obtain access to any other OpenAFS servers in the same cell. AFFECTED SOFTWARE All releases of OpenAFS 1.0.x and 1.1.x. All releases of OpenAFS 1.2.x, up to and including OpenAFS 1.2.5. All releases of OpenAFS 1.3.x, up to and including OpenAFS 1.3.2. FIXES The OpenAFS project recommends that all users upgrade to OpenAFS 1.2.6 or newer. The latest stable OpenAFS release is always available from http://www.openafs.org/release/latest.html. No update is presently available for the OpenAFS-unstable series. For those who are unable to upgrade, apply the following patch to correct the XDR vulnerability, and rebuild your tree. RCS file: /cvs/openafs/src/rx/Makefile.in,v retrieving revision 1.4.2.1 retrieving revision 1.4.2.2 diff -u -r1.4.2.1 -r1.4.2.2 - --- openafs/src/rx/Makefile.in 2002/01/20 08:38:38 1.4.2.1 +++ openafs/src/rx/Makefile.in 2002/08/02 02:45:14 1.4.2.2 @@ -38,7 +38,7 @@ # Generic xdr objects (or, at least, xdr stuff that's not newly defined for rx). # Really the xdr stuff should be in its own directory. - -XDROBJS = xdr_arrayn.o xdr_rx.o xdr_afsuuid.o +XDROBJS = xdr.o xdr_array.o xdr_arrayn.o xdr_rx.o xdr_afsuuid.o RXOBJS = rx_clock.o rx_event.o rx_user.o rx_lwp.o rx.o rx_null.o rx_globals.o \ rx_getaddr.o rx_misc.o rx_packet.o rx_rdwr.o rx_trace.o rx_conncache.o \ RCS file: /cvs/openafs/src/rx/xdr.c,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 - --- openafs/src/rx/xdr.c 2002/06/08 04:43:38 1.4 +++ openafs/src/rx/xdr.c 2002/07/31 23:13:09 1.5 @@ -558,6 +558,8 @@ u_int size; u_int nodesize; + if (maxsize > ((~0) >> 1) - 1) maxsize = ((~0) >> 1) - 1; * first deal with the length since xdr strings are counted-strings RCS file: /cvs/openafs/src/rx/xdr_array.c,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 - --- openafs/src/rx/xdr_array.c 2001/08/08 00:03:57 1.4 +++ openafs/src/rx/xdr_array.c 2002/07/31 23:13:09 1.5 @@ -84,7 +84,10 @@ register caddr_t target = *addrp; register u_int c; /* the actual element count */ register bool_t stat = TRUE; - - register int nodesize; + register u_int nodesize; + i = ((~0) >> 1) / elsize; + if (maxsize > i) maxsize = i; /* like strings, arrays are really counted arrays */ if (! xdr_u_int(xdrs, sizep)) { RCS file: /cvs/openafs/src/rx/xdr_arrayn.c,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 - --- openafs/src/rx/xdr_arrayn.c 2001/08/08 00:03:57 1.4 +++ openafs/src/rx/xdr_arrayn.c 2002/07/31 23:13:09 1.5 @@ -89,7 +89,10 @@ register caddr_t target = *addrp; register u_int c; /* the actual element count */ register bool_t stat = TRUE; - - register int nodesize; + register u_int nodesize; + i = ((~0) >> 1) / elsize; + if (maxsize > i) maxsize = i; /* like strings, arrays are really counted arrays */ if (! xdr_u_int(xdrs, sizep)) { This patch may also be found at: http://www.openafs.org/security/xdr-updates-20020731.delta The associated detached PGP signature is at http://www.openafs.org/security/xdr-updates-20020731.delta.asc It was generated against OpenAFS 1.2.5, but should apply to earlier releases, possibly with some offset. This announcement and code patches related to it may be found on the OpenAFS security advisory page at: http://www.openafs.org/security/ The main OpenAFS web page is at: http://www.openafs.org/ ACKNOWLEDGMENTS Thanks to ISS for discovery of the vulnerability. Thanks to Nickolai Zeldovich for assistance in discovering the particulars of this bug and developing a fix. Thanks also to Tom Yu and the MIT Kerberos Development Team for their advisory MITKRB5-SA-2002-001, the form and much of the text of which was shamelessly stolen to produce this alert. DETAIL The xdr_array() decoder computes the value of the NODESIZE variable in a way that can lead to integer overflow. An attacker can construct an XDR encoding that will take advantage of this integer overflow in order to overflow the allocated heap buffer, depending on the specifics of the caller of the xdr_array() function. Several uses of xdr_array() in various AFS protocols are unsafe in an environment where this bug exists. In particular, any use of a counted array with unbounded size (represented in the Rx protocol description with an empty pair of angle brackets '<>') is unsafe. Such uses appear in input arguments to procedures in the PTS, VLDB, volserver, and backup database protocols, and output arguments from procedures in all of these protocols and in the Rx statistics interface implemented by most OpenAFS servers. A remote user may be able to use the buffer overflow to execute arbitrary code on the server under attack, possibly leading to unauthorized root access. Similarly a rogue server may be able to use the buffer overflow to attack a client which makes one of the RPC's with unsafe output arguments. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQBVAwUBPUxo8bD+655x7JNnAQGOYAH/ZzSzw5FyLI8YTmgJH4qSO7rKQVpy8F+L aIU3Xy4HngBpYALsOrJLkCI7h966Li00YhyXgsm4UW9NzbCORc80Kw== =iILR -----END PGP SIGNATURE----- OpenAFS-announce mailing list OpenAFS-announce@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-announce
Notified: July 29, 2002 Updated: July 31, 2002
Affected
Please see http://www.openbsd.org/errata.html#xdr
The vendor has not provided us with any further information regarding this vulnerability.
Common patches available here ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/012_xdr.patch
Updated: August 06, 2002
Affected
The xdr_array(3) integer overflow was present in the glibc package on Openwall GNU/*/Linux until 2002/08/01 when it was corrected for Owl-current and documented as a security fix in the system-wide change log available at: http://www.openwall.com/Owl/CHANGES.shtml The same glibc package update also fixes a very similar but different calloc(3) integer overflow possibility that is currently not known to allow for an attack on a particular application, but has been patched as a proactive measure. The Sun RPC xdr_array(3) overflow may allow for passive attacks on mount(8) by malicious or spoofed NFSv3 servers as well as for both passive and active attacks on RPC clients or services that one might install on Owl. (There're no RPC services included with Owl.)
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: August 05, 2002
Affected
Red Hat distributes affected packages glibc and Kerberos in all Red Hat Linux distributions. We are currently working on producing errata packages, when complete these will be available along with our advisory at the URLs below. At the same time users of the Red Hat Network will be able to update their systems using the 'up2date' tool. http://rhn.redhat.com/errata/RHSA-2002-166.html (glibc) http://rhn.redhat.com/errata/RHSA-2002-172.html (Kerberos 5)
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: August 19, 2002
Affected
Patches available per SGI Security Advisory 20020801-01-P. -----BEGIN PGP SIGNED MESSAGE----- SGI Security Advisory Title: Sun RPC xdr_array vulnerability
Number: 20020801-01-P
Date: August 16, 2002
Reference: CERT® CA-2002-25
Reference: SGI Security Advisory 20020801-01-A
Reference: CAN-2002-0391 - --- Issue Specifics --- This is a followup to SGI Security Bulletin 20020801-01-A. It's been reported that there is a buffer overflow vulnerability in the Sun
RPC functions supplied with the IRIX 6.5 operating system. The portmapper, NFS and NIS RPC services do NOT use the relevant RPC XDR
functions in libc in a manner that makes them vulnerable. But other RPC
services from IRIX, third-parties, freeware, etc. might use XDR functions. See http://www.cert.org/advisories/CA-2002-25.html and
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823
for additional details. SGI has investigated the issue and recommends the following steps for
neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems. These issues have been corrected in future releases of IRIX and with a
series of patches. - --- Impact --- The vulnerabilities exist within libc, which is installed by default on
IRIX 6.5 systems as part of eoe.sw.base. To determine the version of IRIX you are running, execute the following
command: # uname -R That will return a result similar to the following: # 6.5 6.5.16f The first number ("6.5") is the release name, the second ("6.5.16f" in
this case) is the extended release name. The extended release name is
the "version" we refer to throughout this document. This vulnerability was assigned the following CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0391 This vulnerability was assigned the following VU: http://www.kb.cert.org/vuls/id/192995 - --- Temporary Workaround --- There is no effective workaround available for these problems. SGI
recommends either upgrading to a minimum of IRIX 6.5.18, or installing the
appropriate patch from the listing below. - --- Solution --- SGI has provided a series of patches for these vulnerabilities. Our
recommendation is to upgrade to IRIX 6.5.18 when available, or install the
appropriate patch. OS Version Vulnerable? Patch # Other Actions IRIX 3.x unknown Note 1
IRIX 4.x unknown Note 1
IRIX 5.x unknown Note 1
IRIX 6.0.x unknown Note 1
IRIX 6.1 unknown Note 1
IRIX 6.2 unknown Note 1
IRIX 6.3 unknown Note 1
IRIX 6.4 unknown Note 1
IRIX 6.5 yes Notes 2 & 3
IRIX 6.5.1 yes Notes 2 & 3
IRIX 6.5.2 yes Notes 2 & 3
IRIX 6.5.3 yes Notes 2 & 3
IRIX 6.5.4 yes Notes 2 & 3
IRIX 6.5.5 yes Notes 2 & 3
IRIX 6.5.6 yes Notes 2 & 3
IRIX 6.5.7 yes Notes 2 & 3
IRIX 6.5.8 yes Notes 2 & 3
IRIX 6.5.9 yes Notes 2 & 3
IRIX 6.5.10 yes Notes 2 & 3
IRIX 6.5.11 yes Notes 2 & 3
IRIX 6.5.12 yes Notes 2 & 3
IRIX 6.5.13m yes 4740 Note 2
IRIX 6.5.13f yes 4739 Note 2
IRIX 6.5.14m yes 4742 Note 2
IRIX 6.5.14f yes 4741 Note 2
IRIX 6.5.15m yes 4744 Note 2
IRIX 6.5.15f yes 4743 Note 2
IRIX 6.5.16m yes 4746 Note 2
IRIX 6.5.16f yes 4745 Note 2
IRIX 6.5.17m yes 4748 Note 2
IRIX 6.5.17f yes 4747 Note 2
IRIX 6.5.18 no NOTES 1) This version of the IRIX operating has been retired. Upgrade to an
actively supported IRIX operating system. See
http://support.sgi.com/irix/news/index.html#policy for more
information. 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/ 3) Upgrade to IRIX 6.5.18m or 6.5.18f. ##### Patch File Checksums #### The actual patch will be a tar file containing the following files: Filename: README.patch.4739
Algorithm #1 (sum -r): 17376 8 README.patch.4739
Algorithm #2 (sum): 52194 8 README.patch.4739
MD5 checksum: FD3C0D821DF71D7F44E43FFF32D0E76A Filename: patchSG0004739
Algorithm #1 (sum -r): 19705 5 patchSG0004739
Algorithm #2 (sum): 34493 5 patchSG0004739
MD5 checksum: 25417784900089D5D08F7C94CF7E8ACF Filename: patchSG0004739.dev_sw
Algorithm #1 (sum -r): 38179 2866 patchSG0004739.dev_sw
Algorithm #2 (sum): 55114 2866 patchSG0004739.dev_sw
MD5 checksum: 50592422C16AC9653884CA6579B0BAE6 Filename: patchSG0004739.eoe_sw
Algorithm #1 (sum -r): 06410 14185 patchSG0004739.eoe_sw
Algorithm #2 (sum): 5223 14185 patchSG0004739.eoe_sw
MD5 checksum: D4E5F744A55173CF1BB1EEE1AFE24ACB Filename: patchSG0004739.eoe_sw64
Algorithm #1 (sum -r): 41610 5436 patchSG0004739.eoe_sw64
Algorithm #2 (sum): 29732 5436 patchSG0004739.eoe_sw64
MD5 checksum: B2EF2038FFD7A4DDBE2B0ED8AD7EB424 Filename: patchSG0004739.idb
Algorithm #1 (sum -r): 38687 7 patchSG0004739.idb
Algorithm #2 (sum): 53498 7 patchSG0004739.idb
MD5 checksum: C546FD1A1866DF5E9D971E2B092A01C8 Filename: README.patch.4740
Algorithm #1 (sum -r): 62983 8 README.patch.4740
Algorithm #2 (sum): 51976 8 README.patch.4740
MD5 checksum: F79EF7FC534A9F788DC5F4DFA8FD38C6 Filename: patchSG0004740
Algorithm #1 (sum -r): 34224 4 patchSG0004740
Algorithm #2 (sum): 49244 4 patchSG0004740
MD5 checksum: 434ED9064D6A46C78F3F9C5F6FE38F3F Filename: patchSG0004740.dev_sw
Algorithm #1 (sum -r): 56972 2818 patchSG0004740.dev_sw
Algorithm #2 (sum): 10979 2818 patchSG0004740.dev_sw
MD5 checksum: 1EFC8359CD1E09A215E628E0ADFF4139 Filename: patchSG0004740.eoe_sw
Algorithm #1 (sum -r): 32948 13964 patchSG0004740.eoe_sw
Algorithm #2 (sum): 48417 13964 patchSG0004740.eoe_sw
MD5 checksum: DE6845D0909AA11ACA7FD11B976A55D0 Filename: patchSG0004740.eoe_sw64
Algorithm #1 (sum -r): 01071 5364 patchSG0004740.eoe_sw64
Algorithm #2 (sum): 33961 5364 patchSG0004740.eoe_sw64
MD5 checksum: EB913551876A45D56F07767131E7F592 Filename: patchSG0004740.idb
Algorithm #1 (sum -r): 41640 7 patchSG0004740.idb
Algorithm #2 (sum): 53351 7 patchSG0004740.idb
MD5 checksum: FE6B18A2AA32639D8D1E2C0659E43A90 Filename: README.patch.4741
Algorithm #1 (sum -r): 46292 9 README.patch.4741
Algorithm #2 (sum): 58428 9 README.patch.4741
MD5 checksum: 5BD40F294334AC167243F86FF9AB0244 Filename: patchSG0004741
Algorithm #1 (sum -r): 35746 4 patchSG0004741
Algorithm #2 (sum): 63296 4 patchSG0004741
MD5 checksum: 3D2AEECD36495798CB6D8A26C1FF821D Filename: patchSG0004741.dev_sw
Algorithm #1 (sum -r): 35551 2861 patchSG0004741.dev_sw
Algorithm #2 (sum): 11028 2861 patchSG0004741.dev_sw
MD5 checksum: 63C3BCBBB2F16E83A6CE138C6E0B0C90 Filename: patchSG0004741.eoe_sw
Algorithm #1 (sum -r): 47290 14241 patchSG0004741.eoe_sw
Algorithm #2 (sum): 20959 14241 patchSG0004741.eoe_sw
MD5 checksum: 906B2552ECAD0BD4F03730C1E6DA80A3 Filename: patchSG0004741.eoe_sw64
Algorithm #1 (sum -r): 51758 5454 patchSG0004741.eoe_sw64
Algorithm #2 (sum): 1612 5454 patchSG0004741.eoe_sw64
MD5 checksum: C796DD1711D14CBFD500AA70412C6C8A Filename: patchSG0004741.idb
Algorithm #1 (sum -r): 11787 6 patchSG0004741.idb
Algorithm #2 (sum): 43916 6 patchSG0004741.idb
MD5 checksum: 6840C4B819339F639D09CB1895A1DF19 Filename: README.patch.4742
Algorithm #1 (sum -r): 50773 9 README.patch.4742
Algorithm #2 (sum): 58461 9 README.patch.4742
MD5 checksum: 4C5EB29413762291C461B6F5560A29F6 Filename: patchSG0004742
Algorithm #1 (sum -r): 36972 4 patchSG0004742
Algorithm #2 (sum): 63162 4 patchSG0004742
MD5 checksum: 7EF5D0DFA0C75A9537B67AC5412ECECD Filename: patchSG0004742.dev_sw
Algorithm #1 (sum -r): 21521 2829 patchSG0004742.dev_sw
Algorithm #2 (sum): 57073 2829 patchSG0004742.dev_sw
MD5 checksum: 6B70E50307D06EFDAE3A5FC8D73A50A5 Filename: patchSG0004742.eoe_sw
Algorithm #1 (sum -r): 38562 14004 patchSG0004742.eoe_sw
Algorithm #2 (sum): 22516 14004 patchSG0004742.eoe_sw
MD5 checksum: 78452CABCE7569EFB73FA0E47C65FC03 Filename: patchSG0004742.eoe_sw64
Algorithm #1 (sum -r): 31249 5378 patchSG0004742.eoe_sw64
Algorithm #2 (sum): 1826 5378 patchSG0004742.eoe_sw64
MD5 checksum: DF82029A99D74908CA24065A2D35552E Filename: patchSG0004742.idb
Algorithm #1 (sum -r): 54786 6 patchSG0004742.idb
Algorithm #2 (sum): 44002 6 patchSG0004742.idb
MD5 checksum: EEAC01E3BCDF632EB515DA3697FDC109 Filename: README.patch.4743
Algorithm #1 (sum -r): 15948 8 README.patch.4743
Algorithm #2 (sum): 45429 8 README.patch.4743
MD5 checksum: 3E15972E0AF21A717B45A698A9890BA7 Filename: patchSG0004743
Algorithm #1 (sum -r): 51688 4 patchSG0004743
Algorithm #2 (sum): 50416 4 patchSG0004743
MD5 checksum: ED38340DD8FAC5C86F743878AE1728D1 Filename: patchSG0004743.dev_sw
Algorithm #1 (sum -r): 40350 2861 patchSG0004743.dev_sw
Algorithm #2 (sum): 97 2861 patchSG0004743.dev_sw
MD5 checksum: 8EBC7CAAD1142B5566B976380364A37E Filename: patchSG0004743.eoe_sw
Algorithm #1 (sum -r): 44069 14162 patchSG0004743.eoe_sw
Algorithm #2 (sum): 34540 14162 patchSG0004743.eoe_sw
MD5 checksum: DDF3BE55CB5F1EAE93B62BBD3FEF55A6 Filename: patchSG0004743.eoe_sw64
Algorithm #1 (sum -r): 30426 5440 patchSG0004743.eoe_sw64
Algorithm #2 (sum): 59672 5440 patchSG0004743.eoe_sw64
MD5 checksum: 6D0D872F815DA621B0992A9FD9324671 Filename: patchSG0004743.idb
Algorithm #1 (sum -r): 01715 7 patchSG0004743.idb
Algorithm #2 (sum): 55881 7 patchSG0004743.idb
MD5 checksum: 5CE041BDAB7430DBDF87511754D28CCA Filename: README.patch.4744
Algorithm #1 (sum -r): 44285 8 README.patch.4744
Algorithm #2 (sum): 45488 8 README.patch.4744
MD5 checksum: D438FE6315E0F332108225D165D2EFB7 Filename: patchSG0004744
Algorithm #1 (sum -r): 00653 4 patchSG0004744
Algorithm #2 (sum): 47744 4 patchSG0004744
MD5 checksum: C19320CF91D7677290FF736E56C9FED5 Filename: patchSG0004744.dev_sw
Algorithm #1 (sum -r): 28428 2811 patchSG0004744.dev_sw
Algorithm #2 (sum): 5201 2811 patchSG0004744.dev_sw
MD5 checksum: 60A77A0A373EEC1EBF3EB9AF5FC79F3B Filename: patchSG0004744.eoe_sw
Algorithm #1 (sum -r): 18899 13870 patchSG0004744.eoe_sw
Algorithm #2 (sum): 21781 13870 patchSG0004744.eoe_sw
MD5 checksum: EA1848F5C8B67056F05A9FE9B57CA9E2 Filename: patchSG0004744.eoe_sw64
Algorithm #1 (sum -r): 58911 5361 patchSG0004744.eoe_sw64
Algorithm #2 (sum): 50085 5361 patchSG0004744.eoe_sw64
MD5 checksum: 130FF3A636C961FB3954C16E442C0B6F Filename: patchSG0004744.idb
Algorithm #1 (sum -r): 13486 7 patchSG0004744.idb
Algorithm #2 (sum): 55824 7 patchSG0004744.idb
MD5 checksum: 0CEBC15BCF39EA355446255A5D75D805 Filename: README.patch.4745
Algorithm #1 (sum -r): 15799 8 README.patch.4745
Algorithm #2 (sum): 35275 8 README.patch.4745
MD5 checksum: D6B712256A62F8E6B2ACD0976763DCCA Filename: patchSG0004745
Algorithm #1 (sum -r): 58964 3 patchSG0004745
Algorithm #2 (sum): 34473 3 patchSG0004745
MD5 checksum: 37DD6BFA2D081654929172C5FFA85D03 Filename: patchSG0004745.dev_sw
Algorithm #1 (sum -r): 43608 2865 patchSG0004745.dev_sw
Algorithm #2 (sum): 26907 2865 patchSG0004745.dev_sw
MD5 checksum: 9CC4426260A13DD11D8787A75616B533 Filename: patchSG0004745.eoe_sw
Algorithm #1 (sum -r): 46222 14145 patchSG0004745.eoe_sw
Algorithm #2 (sum): 2014 14145 patchSG0004745.eoe_sw
MD5 checksum: 05732207843259769B88ACB5086F0E9D Filename: patchSG0004745.eoe_sw64
Algorithm #1 (sum -r): 28294 5432 patchSG0004745.eoe_sw64
Algorithm #2 (sum): 35373 5432 patchSG0004745.eoe_sw64
MD5 checksum: E315BF430F7F55705EBB9059B618615C Filename: patchSG0004745.idb
Algorithm #1 (sum -r): 08259 7 patchSG0004745.idb
Algorithm #2 (sum): 55819 7 patchSG0004745.idb
MD5 checksum: 9C00336D9796E94A5EECB18E032835BC Filename: README.patch.4746
Algorithm #1 (sum -r): 32906 8 README.patch.4746
Algorithm #2 (sum): 35306 8 README.patch.4746
MD5 checksum: 875BAC2CC2801F9CA4B7C7C5DBD1D747 Filename: patchSG0004746
Algorithm #1 (sum -r): 38467 3 patchSG0004746
Algorithm #2 (sum): 31867 3 patchSG0004746
MD5 checksum: E7E3FB06A6133FB036B9E798959B3205 Filename: patchSG0004746.dev_sw
Algorithm #1 (sum -r): 02250 2814 patchSG0004746.dev_sw
Algorithm #2 (sum): 8724 2814 patchSG0004746.dev_sw
MD5 checksum: 6EE1AE6822CFCC275BF92BAEE44C6102 Filename: patchSG0004746.eoe_sw
Algorithm #1 (sum -r): 42525 13917 patchSG0004746.eoe_sw
Algorithm #2 (sum): 56304 13917 patchSG0004746.eoe_sw
MD5 checksum: B119365083193E8EFDB4D4EA06BD90B8 Filename: patchSG0004746.eoe_sw64
Algorithm #1 (sum -r): 47973 5358 patchSG0004746.eoe_sw64
Algorithm #2 (sum): 48931 5358 patchSG0004746.eoe_sw64
MD5 checksum: E5A80390E8E1017A559ACBCB6C64D2EE Filename: patchSG0004746.idb
Algorithm #1 (sum -r): 21733 7 patchSG0004746.idb
Algorithm #2 (sum): 55840 7 patchSG0004746.idb
MD5 checksum: 23784F6416174D2794CA958A5FD27C5A Filename: README.patch.4747
Algorithm #1 (sum -r): 40141 8 README.patch.4747
Algorithm #2 (sum): 28747 8 README.patch.4747
MD5 checksum: 5E6CD892484FAFF3DED05366F2F5EA89 Filename: patchSG0004747
Algorithm #1 (sum -r): 37009 3 patchSG0004747
Algorithm #2 (sum): 35605 3 patchSG0004747
MD5 checksum: 0109A515389D8C94EFBBE15043B08557 Filename: patchSG0004747.dev_sw
Algorithm #1 (sum -r): 60690 2915 patchSG0004747.dev_sw
Algorithm #2 (sum): 7035 2915 patchSG0004747.dev_sw
MD5 checksum: 128FD717AEBA71B8993DC3E9DC880F79 Filename: patchSG0004747.eoe_sw
Algorithm #1 (sum -r): 53956 14492 patchSG0004747.eoe_sw
Algorithm #2 (sum): 27214 14492 patchSG0004747.eoe_sw
MD5 checksum: 9590837AF84D5A0D6EFC916C851F0AD6 Filename: patchSG0004747.eoe_sw64
Algorithm #1 (sum -r): 28387 5585 patchSG0004747.eoe_sw64
Algorithm #2 (sum): 29573 5585 patchSG0004747.eoe_sw64
MD5 checksum: 6AFBDD4D8D5915613AB86DC690DB2F4D Filename: patchSG0004747.idb
Algorithm #1 (sum -r): 13314 7 patchSG0004747.idb
Algorithm #2 (sum): 55955 7 patchSG0004747.idb
MD5 checksum: FDFFBD812D3964D9AC3C16D5BDAAF82D Filename: README.patch.4748
Algorithm #1 (sum -r): 17856 8 README.patch.4748
Algorithm #2 (sum): 28761 8 README.patch.4748
MD5 checksum: 77CC00A1EE9DCD4FB02F8B9F1540BB20 Filename: patchSG0004748
Algorithm #1 (sum -r): 64080 3 patchSG0004748
Algorithm #2 (sum): 33271 3 patchSG0004748
MD5 checksum: 1DC2039E57A656D89D34D219A863B9AA Filename: patchSG0004748.dev_sw
Algorithm #1 (sum -r): 57598 2867 patchSG0004748.dev_sw
Algorithm #2 (sum): 6373 2867 patchSG0004748.dev_sw
MD5 checksum: 7FEC56E9DF6C7F9E957E33C78B62B2B3 Filename: patchSG0004748.eoe_sw
Algorithm #1 (sum -r): 44400 14293 patchSG0004748.eoe_sw
Algorithm #2 (sum): 12872 14293 patchSG0004748.eoe_sw
MD5 checksum: 660F5D22F3F897C50DD2649DFA990122 Filename: patchSG0004748.eoe_sw64
Algorithm #1 (sum -r): 02612 5505 patchSG0004748.eoe_sw64
Algorithm #2 (sum): 61325 5505 patchSG0004748.eoe_sw64
MD5 checksum: 2A6D329F8D1E4469E524A85EEF6E157D Filename: patchSG0004748.idb
Algorithm #1 (sum -r): 61381 7 patchSG0004748.idb
Algorithm #2 (sum): 56061 7 patchSG0004748.idb
MD5 checksum: 5F8AD4C318190D8316A7D406DAC8BBA1 - --- Acknowledgments ---- SGI wishes to thank CERT, ISS, FIRST and the users of the Internet Community
at large for their assistance in this matter. - --- Links --- SGI Security Advisories can be found at: http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/advisories/ SGI Security Patches can be found at: http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/patches/ SGI patches for IRIX can be found at the following patch servers: http://support.sgi.com/irix/ and ftp://patches.sgi.com/ SGI freeware updates for IRIX can be found at: http://freeware.sgi.com/ SGI fixes for SGI open sourced code can be found on: http://oss.sgi.com/projects/ SGI patches and RPMs for Linux can be found at: http://support.sgi.com/linux/ or
http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/ SGI patches for Windows NT or 2000 can be found at: http://support.sgi.com/nt/ IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at: http://support.sgi.com/irix/ and ftp://patches.sgi.com/support/patchset/ IRIX 6.5 Maintenance Release Streams can be found at: http://support.sgi.com/colls/patches/tools/relstream/index.html IRIX 6.5 Software Update CDs can be obtained from: http://support.sgi.com/irix/swupdates/ The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211). Security advisories and patches are
located under the URL ftp://patches.sgi.com/support/free/security/ For security and patch management reasons, ftp.sgi.com (mirrors
patches.sgi.com security FTP repository) lags behind and does not do a
real-time update. - --- SGI Security Information/Contacts --- If there are questions about this document, email can be sent to
security-info@sgi.com. ------oOo------ SGI provides security information and patches for use by the entire SGI
community. This information is freely available to any person needing the
information and is available via anonymous FTP and the Web. The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211). Security advisories and patches are
located under the URL ftp://patches.sgi.com/support/free/security/ The SGI Security Headquarters Web page is accessible at the URL: http://www.sgi.com/support/security/ For issues with the patches on the FTP sites, email can be sent to
security-info@sgi.com. For assistance obtaining or working with security patches, please
contact your SGI support provider. ------oOo------ SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email) all
SGI Security Advisories when they are released. Subscribing to the mailing
list can be done via the Web
(http://www.sgi.com/support/security/wiretap.html) or by sending email to
SGI as outlined below. % mail wiretap-request@sgi.com
subscribe wiretap < YourEmailAddress such as aaanalyst@sgi.com >
end
^d In the example above,
The vendor has not provided us with any further information regarding this vulnerability.
SGI was previously looking into the matter on August 1, 2002, per: ftp://patches.sgi.com/support/free/security/advisories/20020801-01-A -----BEGIN PGP SIGNED MESSAGE----- SGI Security Advisory Title: Sun RPC xdr_array vulnerability
Number: 20020801-01-A
Date: August 1, 2002 SGI provides this information freely to the SGI user community for its
consideration, interpretation, implementation and use. SGI recommends
that this information be acted upon as soon as possible. SGI provides the information in this Security Advisory on an "AS-IS" basis
only, and disclaims all warranties with respect thereto, express, implied
or otherwise, including, without limitation, any warranty of merchantability
or fitness for a particular purpose. In no event shall SGI be liable for
any loss of profits, loss of business, loss of data or for any indirect,
special, exemplary, incidental or consequential damages of any kind arising
from your use of, failure to use or improper use of any of the instructions
or information in this Security Advisory. SGI acknowledges the Sun RPC vulnerability reported by ISS X-Force Advisory: http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823
and is currently investigating. No further information is available at this time. As further information
becomes available, additional advisories will be issued. For the protection of all our customers, SGI does not disclose, discuss
or confirm vulnerabilities until a full investigation has occurred and
any necessary patch(es) or release streams are available for all vulnerable
and supported Linux and IRIX operating systems. Until SGI has more definitive information to provide, customers are encouraged
to assume all security vulnerabilities as exploitable and take appropriate
steps according to local site security policies and requirements. As further information becomes available, additional advisories will be
issued via the normal SGI security information distribution methods
including the wiretap mailing list. - --- SGI Security Information/Contacts --- If there are questions about this document, email can be sent to
security-info@sgi.com. ------oOo------ SGI provides security information and patches for use by the entire
SGI community. This information is freely available to any person
needing the information and is available via anonymous FTP and the Web. The primary SGI anonymous FTP site for security advisories and patches
is patches.sgi.com (216.32.174.211). Security advisories and patches
are located under the URL ftp://patches.sgi.com/support/free/security/ The SGI Security Headquarters Web page is accessible at the URL
http://www.sgi.com/support/security/ For issues with the patches on the FTP sites, email can be sent to
security-info@sgi.com. For assistance obtaining or working with security patches, please
contact your SGI support provider. ------oOo------ SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email) all
SGI Security Advisories when they are released. Subscribing to the mailing
list can be done via the Web (http://www.sgi.com/support/security/wiretap.html)
or by sending email to SGI as outlined below. % mail wiretap-request@sgi.com
subscribe wiretap
Notified: July 29, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: August 05, 2002
Affected
Sun can confirm that there is a type overflow vulnerability in the xdr_array(3NSL) function which is part of the network services library, libnsl(3LIB), on Solaris 2.5.1 through 9. Sun has published Sun Alert 46122 which describes the issue, applications affected, and workaround information. The Sun Alert will be updated as more information or patches become available and is located here: http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46122 Sun will be publishing a Sun Security Bulletin for this issue once all of the patches are available which will be located at: http://sunsolve.sun.com/security
The vendor has not provided us with any further information regarding this vulnerability.
[text downloaded at Thu Aug 1 2002 11:30:51 (-0400)] Sun(sm) Alert Notification * Sun Alert ID: 46122
* Synopsis: Security Vulnerability in the Network Services
Library, libnsl(3LIB)
* Category: Security
* Product: Solaris
* BugIDs: 4691127
* Avoidance: none
* State: Committed
* Date Released: 31-Jul-2002
* Date Closed: * Date Modified: 1. Impact A local or remote user may be able to gain unauthorized root
privileges due to a type overflow vulnerability in the
xdr_array(3NSL) function which is part of the network services
library, libnsl(3LIB), on Solaris. 2. Contributing Factors This issue can occur in the following releases: SPARC
* Solaris 2.5.1
* Solaris 2.6
* Solaris 7
* Solaris 8
* Solaris 9 Intel
* Solaris 2.5.1
* Solaris 2.6
* Solaris 7
* Solaris 8
* Solaris 9 3. Symptoms There are no symptoms that would show the described issue has been
exploited to gain unauthorized root access to a host. If an attempt to exploit this vulnerability fails, the affected
daemon may dump core in the root directory, '/'. A root user may run
file(1) on the core file to determine the original program, for
example: # file /core
/core: ELF 32-bit MSB core file SPARC Version 1, from 'dmisp
d' A typical stack trace from a failed exploit attempt against 'dmispd'
may look like: [1] t_delete(), at 0xff0c629c
[2] realfree(), at 0xff0c5ed0
[3] _malloc_unlocked(), at 0xff0c5a68
[4] malloc(), at 0xff0c5808
[5] xdr_array(), at 0xff21ffe4
[6] xdr_DmiAttributeIds(), at 0xff34a208 [23] svc_run(), at 0xff24cda4
[24] server_svc(), at 0xff35baac
[25] InitDmiInfo(), at 0xff34da7c
=>[26] main(argc = ???, argv = ???) (optimized), at 0x1561c in "dmisp
d.cc" Other affected applications should have a similar stack trace for
frames one through five. Solution Summary [1]Top 4. Relief/Workaround There is no workaround for this issue, but one may wish to block
access to the vulnerable services as described below. Note that this
Sun Alert will be updated as and when more information or patches
become available. Multiple applications run as root privileged daemons and are linked
with libnsl(3LIB) and call the xdr_array(3NSL) function directly,
such as: dmispd(1M) - Sun Solstice Enterprise DMI Service Provider
rpc.cmsd(1m) - CDE calendar manager service daemon If SEAM(5) is installed, multiple Kerberos applications which run
with root privileges are affected, such as: krb5kdc(1M) - daemon that runs on the master and slave KDCs to process
the Kerberos tickets
kadmind(1M) - Kerberos administration daemon Additional SEAM(5) unbundled applications such as the Kerberos
versions of rlogind, telnetd, ftpd, and rshd are affected as well. Although Sun is not aware of any other applications or services that
may be vulnerable to this issue, Sun is continuing to investigate
and will update this Sun Alert as needed. Some third-party applications may have been created and installed
which are statically linked with the static version of the name
services library, libnsl.a. If this is the case, then it will be
necessary to obtain an application upgrade or patch from the
application vendor once patches for this issue are available. The following text is based on the wording CERT use in their
advisories: Until patches are available and can be applied, you may wish to
block access to the affected services listed above from untrusted
networks such as the Internet or disable the daemons where possible. Use a firewall or other packet-filtering technology to block the
appropriate network ports. Consult your vendor or your firewall
documentation for detailed instructions on how to configure the
ports. The rpcinfo(1M) command will report the network port(s) in use by
each of the above RPC based daemons. The RPC portmapper service,
rpcbind(1M), typically runs on ports 111/tcp and 111/udp. The RPC
program numbers for dmispd(1M) and rpc.cmsd(1m) are 300598 and
100068 respectively. An example to list the network port(s) in use
by the above RPC based daemons via their RPC program numbers: $ rpcinfo -p
Notified: July 29, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 30, 2002 Updated: August 01, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 30, 2002 Updated: May 29, 2003
Affected
A response to this advisory is available from our web site: http://www.xerox.com/security.
The vendor has not provided us with any further information regarding this vulnerability.
[Begin cached statement: 05/29/2003 20:08:48 UTC] [End cached statement]
Notified: July 29, 2002 Updated: July 31, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.