CERTVU:648304Sun Solaris DMI to SNMP mapper daemon snmpXdmid contains buffer overflow
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.78 High
EPSS
Percentile
98.2%
Overview
There is a buffer overflow in the snmpXdmi daemon, which may allow intruders to gain root privileges on systems running the vulnerable daemon.
Description
The SNMP-to-DMI mapper daemon (snmpXdmi) translates Simple Network Management Protocol (SNMP) events to Desktop Management Interface (DMI) indications and vice-versa. Both protocols serve a similar purpose, and the translation daemon allows users to manage devices using either protocol. The snmpXdmi daemon registers itself with the snmpdx and dmid daemons, translating and forwarding requests from one daemon to the other. The snmpXdmi daemon, which is shipped with Solaris versions 2.6, 7 and 8, is enabled by default.
The snmpXdmi daemon contains a buffer overflow in the code for translating DMI indications to SNMP events. This buffer overflow is exploitable by remote intruders to gain root privileges.
More information about this vulnerability can be found in the advisory published by Job de Haas of ITSX:
<http://www.itsx.com/snmpXdmid.html>
Impact
A remote intruder who is able to send packets to the snmpXdmi daemon may be able to gain root privileges on that system.
Solution
Apply a Patch
Apply a patch from Sun when it is available.
Disable snmpXdmi
Sites that do not use both SNMP and DMI should disable the translation daemon, thus eliminating the vulnerability.
Restrict Access to snmpXdmi and other RPC services
Sites that require the functionality of snmpXdmi or other RPC services should restrict access through filtering. Local IP filtering rules that prevent hosts other than localhost from connecting to the daemon may mitigate the risks associated with running the daemon. Sun RPC services are advertised on port 111/{tcp,udp}. The snmpXdmid RPC service id is 100249; use ‘rpcinfo -p’ to list local site port bindings:
# rpcinfo -p | grep 100249 100249 1 udp 32785 100249 1 tcp 32786
Note that site-specific port binding will vary.
Vendor Information
648304
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Sun __ Affected
Notified: March 08, 2001 Updated: September 14, 2001
Status
Affected
Vendor Statement
Please see Sun Security Bulletin #00207 for patch details available from:
<http://sunsolve.sun.com/security>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Sun has released Sun Security Bulletin #00207 which provides pointers to patches to correct this vulnerability. A copy of this security bulletin has been archived here for your convenience:
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www.itsx.com/snmpXdmid.html>
- <http://www.securityfocus.com/bid/2417>
- <http://www.securityfocus.com/archive/1/168936>
- <http://www.sun.com/software/entagents/download/>
- <http://www.sun.com/software/entagents/docs/UGhtml/snmp_with_dmi.doc.html>
- <http://www.dmtf.org/spec/spec.html>
- <http://www.dmtf.org/spec/snmp.html>
- <http://www.ciac.org/ciac/bulletins/l-065.shtml>
Acknowledgements
Thanks to Job de Haas ([email protected]) of ITSX BV Amsterdam, The Netherlands (http://www.itsx.com) for reporting this vulnerability to the CERT/CC.
This document was written by Cory F. Cohen.
Other Information
| CVE IDs: | CVE-2001-0236 |
|---|---|
| CERT Advisory: | CA-2001-05 Severity Metric: |
References
Related
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.78 High
EPSS
Percentile
98.2%