Sun Solaris cachefsd vulnerable to stack overflow in fscache_setup() function

2002-05-09T00:00:00
ID VU:161931
Type cert
Reporter CERT
Modified 2002-05-13T20:34:00

Description

Overview

Sun's NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. An exploitable stack overflow exists in cachefsd that could permit a local attacker to execute arbitrary code with the privileges of the cachefsd, typically root.

Description

After creating a local file on the system, an attacker can exploit a stack overflow in cachefsd to execute arbitrary code with the privileges of the cachefsd process, typically root. Sun Microsystems has released a Sun Alert Notification that addresses this issue as well as the issue described in VU#635811.

The Australian Computer Emergency Response Team has also issued an advisory related to incident activity exploiting cachefsd:

<http://www.auscert.org.au/Information/Advisories/advisory/AA-2002.01.txt>
The eSecurityOnline team has also published a report on this vulnerability:

<http://www.eSecurityOnline.com/advisories/eSO4198.asp>
This issue is also being referenced as CAN-2002-0084:

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0084>

Impact

An attacker can execute code with the privileges of the cachefsd process, typically root.


Solution

The CERT/CC is currently unaware of patches for this problem.


According to the Sun Alert Notification a workaround is as follows:

_Comment out cachefsd in /etc/inetd.conf as shown below: _

_ #100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd _

_ Once the line is commented out either: _

_ - reboot, or_
- send a HUP signal to inetd(1M) and kill existing cachefsd processes, for example,
on Solaris 2.5.1 and 2.6 do the following:
$ kill -HUP <PID of inetd>
$ kill <PIDs of any cachefsd processes>

_ Solaris 7 and 8 do the following:
$ pkill -HUP inetd_
_ $ pkill cachefsd _

_ The possible side effects of the workaround are: _

_ - for systems not using cachefs:_

_ There is no impact._

_ - for systems using cachefs:_

_ Only a "disconnected" operation is known to be affected by
disabling cachefsd. This feature is rarely used outside of AutoClient._

_ Mounts and unmounts should still succeed though an error message
may be seen, "mount -F cachefs: cachefsd is not running"._

_ There is no performance impact._

_ - for systems using AutoClient:_

_ The impact is unknown. Again, only "disconnected" mode is likely
to be affected. _


Vendor Information

161931

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.

Sun

Updated: May 09, 2002

Status

__ Vulnerable

Vendor Statement

See the Sun Alert Notification which addresses this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray

Updated: May 13, 2002

Status

__ Not Vulnerable

Vendor Statement

Cray, Inc. is not vulnerable since cachefs is not supported under Unicos and Unicos/mk.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A

References

  • <http://www.auscert.org.au/Information/Advisories/advisory/AA-2002.01.txt>
  • <http://www.eSecurityOnline.com/advisories/eSO4198.asp>
  • <http://www.securityfocus.com/bid/4631>
  • <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0084>

Acknowledgements

Our thanks to AusCERT, eSecurityOnline, and the Sun Security Coordination Team, as well as Mark Dowd and Stephen James of IT Audit & Consulting for their analysis and reports about this vulnerability.

This document was written by Jason Rafail.

Other Information

CVE IDs: | CVE-2002-0084
---|---
Severity Metric:** | 22.84
Date Public:
| 2002-04-30
Date First Published: | 2002-05-09
Date Last Updated: | 2002-05-13 20:34 UTC
Document Revision: | 12