rpc.statd.automountd.bounce.txt

1999-08-17T00:00:00
ID PACKETSTORM:11831
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Mon, 7 Jun 1999 11:29:55 -0700  
From: Sun Security Coordination Team <secure@sunsc.Eng.Sun.COM>  
To: CWS@sunsc.Eng.Sun.COM  
Subject: Sun Security Bulletin #00186  
  
-----BEGIN PGP SIGNED MESSAGE-----  
  
________________________________________________________________________________  
Sun Microsystems, Inc. Security Bulletin  
  
Bulletin Number: #00186  
Date: June 7, 1999  
Cross-Ref:   
Title: rpc.statd  
________________________________________________________________________________  
  
The information contained in this Security Bulletin is provided "AS IS."   
Sun makes no warranties of any kind whatsoever with respect to the information   
contained in this Security Bulletin. ALL EXPRESS OR IMPLIED CONDITIONS,   
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR   
IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE   
HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.  
  
IN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE,   
PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL   
OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY   
ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN   
THIS SECURITY BULLETIN, EVEN IF SUN MICROSYSTEMS, INC. HAS BEEN ADVISED OF   
THE POSSIBILITY OF SUCH DAMAGES.  
  
If any of the above provisions are held to be in violation of applicable law,   
void, or unenforceable in any jurisdiction, then such provisions are waived   
to the extent necessary for this disclaimer to be otherwise enforceable in   
such jurisdiction.  
________________________________________________________________________________  
  
1. Bulletins Topics  
  
Sun announces the release of patches for Solaris(tm) 2.6, 2.5.1,  
2.5, 2.4, and 2.3 (SunOS(tm) 5.6, 5.5.1, 5.5, 5.4 and 5.3), which   
relate to a vulnerability involving rpc.statd.  
  
Sun recommends that you install the patches listed in section 4   
immediately on systems running SunOS 5.6, 5.5.1, 5.5, 5.4, and 5.3.  
  
2. Who is Affected  
  
Vulnerable: SunOS 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5, 5.5_x86,  
5.4, 5.4_x86, and 5.3.  
  
Not vulnerable: All other supported versions of SunOS.  
  
3. Understanding the Vulnerability  
  
rpc.statd is the NFS file-locking status monitor. It interacts with   
rpc.lockd to provide the crash and recovery functions for file locking   
across NFS. rpc.statd allows indirect RPC calls to other RPC services.  
Because rpc.statd runs as root, this allows remote attackers to bypass  
access controls of other RPC services.  
  
4. List of Patches  
  
The following patches are available in relation to the above problem.  
  
OS Version Patch ID   
__________ _________  
SunOS 5.6 106592-02   
SunOS 5.6_x86 106593-02   
SunOS 5.5.1 104166-04   
SunOS 5.5.1_x86 104167-04   
SunOS 5.5 103468-04   
SunOS 5.5_x86 103469-05   
SunOS 5.4 102769-07   
SunOS 5.4_x86 102770-07   
SunOS 5.3 102932-05   
_______________________________________________________________________________  
APPENDICES  
  
A. Patches listed in this bulletin are available to all Sun customers at:  
  
http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&nav=pub-patches  
  
B. Checksums for the patches listed in this bulletin are available at:  
  
ftp://sunsolve.sun.com/pub/patches/CHECKSUMS  
  
C. Sun security bulletins are available at:  
  
http://sunsolve.sun.com/pub-cgi/secBulletin.pl  
  
D. Sun Security Coordination Team's PGP key is available at:  
  
http://sunsolve.sun.com/pgpkey.txt  
  
E. To report or inquire about a security problem with Sun software, contact   
one or more of the following:  
  
- Your local Sun answer centers  
- Your representative computer security response team, such as CERT   
- Sun Security Coordination Team. Send email to:  
  
security-alert@sun.com  
  
F. To receive information or subscribe to our CWS (Customer Warning System)   
mailing list, send email to:  
  
security-alert@sun.com  
  
with a subject line (not body) containing one of the following commands:  
  
Command Information Returned/Action Taken  
_______ _________________________________  
  
help An explanation of how to get information  
  
key Sun Security Coordination Team's PGP key  
  
list A list of current security topics  
  
query [topic] The email is treated as an inquiry and is forwarded to   
the Security Coordination Team  
  
report [topic] The email is treated as a security report and is  
forwarded to the Security Coordination Team. Please   
encrypt sensitive mail using Sun Security Coordination  
Team's PGP key  
  
send topic A short status summary or bulletin. For example, to   
retrieve a Security Bulletin #00138, supply the   
following in the subject line (not body):  
  
send #138  
  
subscribe Sender is added to our mailing list. To subscribe,   
supply the following in the subject line (not body):  
  
subscribe cws your-email-address  
  
Note that your-email-address should be substituted  
by your email address.  
  
unsubscribe Sender is removed from the CWS mailing list.  
________________________________________________________________________________  
  
Copyright 1999 Sun Microsystems, Inc. All rights reserved. Sun,   
Sun Microsystems, Solaris and SunOS are trademarks or registered trademarks   
of Sun Microsystems, Inc. in the United States and other countries. This   
Security Bulletin may be reproduced and distributed, provided that this   
Security Bulletin is not modified in any way and is attributed to   
Sun Microsystems, Inc. and provided that such reproduction and distribution   
is performed for non-commercial purposes.  
  
-----BEGIN PGP SIGNATURE-----  
Version: 2.6.2  
  
iQCVAwUBN1v0lrdzzzOFBFjJAQFBRwQAuf9lbE6VUaMPIZ2nBiiVXuRsmLJqIQUQ  
zZvGpx9//DO5UQt4U/kOMmyv8m8SSNCoZfrmu4I7WqiX1OKvr+H9FLR6OEnUVqPC  
7hLQl0PBmkcLkRsUpFvEG4zTnI4D7SUcWb5rOcUYdpWF/XUnjRp9Yx0wbQClWvG2  
ZxBjl97qw1Y=  
=07wv  
-----END PGP SIGNATURE-----  
  
------------------------------------------------------------------------------------  
  
Date: Wed, 9 Jun 1999 16:27:53 -0400  
From: CERT Advisory <cert-advisory@cert.org>  
Reply-To: cert-advisory-request@cert.org  
To: cert-advisory@coal.cert.org  
Subject: CERT Advisory CA-99.05 - statd-automountd  
  
-----BEGIN PGP SIGNED MESSAGE-----  
  
CERT Advisory CA-99-05 Vulnerability in statd exposes vulnerability in  
automountd  
  
Original issue date: June 9, 1999  
Source: CERT/CC  
  
Systems Affected  
  
Systems running older versions of rpc.statd and automountd  
  
I. Description  
  
This advisory describes two vulnerabilities that are being used  
together by intruders to gain access to vulnerable systems. The first  
vulnerability is in rpc.statd, a program used to communicate state  
changes among NFS clients and servers. The second vulnerability is in  
automountd, a program used to automatically mount certain types of  
file systems. Both of these vulnerabilities have been widely discussed  
on public forums, such as BugTraq, and some vendors have issued  
security advisories related to the problems discussed here. Because of  
the number of incident reports we have received, however, we are  
releasing this advisory to call attention to these problems so that  
system and network administrators who have not addressed these  
problems do so immediately.  
  
The vulnerability in rpc.statd allows an intruder to call arbitrary  
rpc services with the privileges of the rpc.statd process. The called  
rpc service may be a local service on the same machine or it may be a  
network service on another machine. Although the form of the call is  
constrained by rpc.statd, if the call is acceptable to another rpc  
service, the other rpc service will act on the call as if it were an  
authentic call from the rpc.statd process.  
  
The vulnerability in automountd allows a local intruder to execute  
arbitrary commands with the privileges of the automountd process. This  
vulnerability has been widely known for a significant period of time,  
and patches have been available from vendors, but many systems remain  
vulnerable because their administrators have not yet applied the  
appropriate patches.  
  
By exploiting these two vulnerabilities simultaneously, a remote  
intruder is able to "bounce" rpc calls from the rpc.statd service to  
the automountd service on the same targeted machine. Although on many  
systems the automountd service does not normally accept traffic from  
the network, this combination of vulnerabilities allows a remote  
intruder to execute arbitrary commands with the administrative  
privileges of the automountd service, typically root.  
  
Note that the rpc.statd vulnerability described in this advisory is  
distinct from the vulnerabilities described in CERT Advisories  
CA-96.09 and CA-97.26.  
  
II. Impact  
  
The vulnerability in rpc.statd may allow a remote intruder to call  
arbitrary rpc services with the privileges of the rpc.statd process,  
typically root. The vulnerablility in automountd may allow a local  
intruder to execute arbitrary commands with the privileges of the  
automountd service.  
  
By combining attacks exploiting these two vulnerabilities, a remote  
intruder is able to execute arbitrary commands with the privileges of  
the automountd service.  
  
Note  
  
It may still be possible to cause rpc.statd to call other rpc services  
even after applying patches which reduce the privileges of rpc.statd.  
If there are additional vulnerabilities in other rpc services  
(including services you have written), an intruder may be able to  
exploit those vulnerabilities through rpc.statd. At the present time,  
we are unaware of any such vulnerabilitity that may be exploited  
through this mechanism.  
  
III. Solutions  
  
Install a patch from your vendor  
  
Appendix A contains input from vendors who have provided information  
for this advisory. We will update the appendix as we receive more  
information. If you do not see your vendor's name, the CERT/CC did not  
hear from that vendor. Please contact your vendor directly.  
  
Appendix A: Vendor Information  
  
Caldera  
  
Caldera's currently not shipping statd.  
  
Compaq Computer Corporation  
  
(c) Copyright 1998, 1999 Compaq Computer Corporation. All rights  
reserved.  
SOURCE: Compaq Computer Corporation  
Compaq Services  
Software Security Response Team USA  
This reported problem has not been found to affect the as  
shipped, Compaq's Tru64/UNIX Operating Systems Software.  
- Compaq Computer Corporation  
  
Data General  
  
We are investigating. We will provide an update when our  
investigation is complete.  
  
Hewlett-Packard Company  
  
HP is not vulnerable.  
  
The Santa Cruz Operation, Inc.  
  
No SCO products are vulnerable.  
  
Silicon Graphics, Inc.  
  
% IRIX  
  
% rpc.statd  
IRIX 6.2 and above ARE NOT vulnerable.  
IRIX 5.3 is vulnerable, but no longer supported.  
% automountd  
With patches from SGI Security Advisory  
19981005-01-PX installed,  
IRIX 6.2 and above ARE NOT vulnerable.  
  
% Unicos  
  
Currently, SGI is investigating and no further information  
is  
available for public release at this time.  
  
As further information becomes available, additional  
advisories  
will be issued via the normal SGI security information  
distribution  
method including the wiretap mailing list.  
SGI Security Headquarters  
http://www.sgi.com/Support/security  
  
Sun Microsystems Inc.  
  
The following patches are available:  
rpc.statd:  
Patch OS Version  
_____ __________  
106592-02 SunOS 5.6  
106593-02 SunOS 5.6_x86  
104166-04 SunOS 5.5.1  
104167-04 SunOS 5.5.1_x86  
103468-04 SunOS 5.5  
103469-05 SunOS 5.5_x86  
102769-07 SunOS 5.4  
102770-07 SunOS 5.4_x86  
102932-05 SunOS 5.3  
The fix for this vulnerability was integrated in SunOS  
5.7 (Solaris 7) before it was released.  
automountd:  
104654-05 SunOS 5.5.1  
104655-05 SunOS 5.5.1_x86  
103187-43 SunOS 5.5  
103188-43 SunOS 5.5_x86  
101945-61 SunOS 5.4  
101946-54 SunOS 5.4_x86  
101318-92 SunOS 5.3  
SunOS 5.6 (Solaris 2.6) and SunOS 5.7 (Solaris 7) are not  
vulnerable.  
Sun security patches are available at:  
  
http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-li  
cense&nav=pub-patches  
_______________________________________________________________  
  
Our thanks to Olaf Kirch of Caldera for his assistance in  
helping us understand the problem and Chok Poh of Sun  
Microsystems for his assistance in helping us construct this  
advisory.  
_______________________________________________________________  
  
This document is available from:  
http://www.cert.org/advisories/CA-99-05-statd-automountd.html.  
_______________________________________________________________  
  
CERT/CC Contact Information  
  
Email: cert@cert.org  
Phone: +1 412-268-7090 (24-hour hotline)  
Fax: +1 412-268-6989  
Postal address:  
CERT Coordination Center  
Software Engineering Institute  
Carnegie Mellon University  
Pittsburgh PA 15213-3890  
U.S.A.  
  
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /  
EDT(GMT-4) Monday through Friday; they are on call for  
emergencies during other hours, on U.S. holidays, and on  
weekends.  
  
Using encryption  
  
We strongly urge you to encrypt sensitive information sent by  
email. Our public PGP key is available from  
http://www.cert.org/CERT_PGP.key. If you prefer to use DES,  
please call the CERT hotline for more information.  
  
Getting security information  
  
CERT publications and other security information are available  
from our web site http://www.cert.org/.  
  
To be added to our mailing list for advisories and bulletins,  
send email to cert-advisory-request@cert.org and include  
SUBSCRIBE your-email-address in the subject of your message.  
  
Copyright 1999 Carnegie Mellon University.  
Conditions for use, disclaimers, and sponsorship information  
can be found in http://www.cert.org/legal_stuff.html.  
  
* "CERT" and "CERT Coordination Center" are registered in the  
U.S. Patent and Trademark Office  
_______________________________________________________________  
  
NO WARRANTY  
Any material furnished by Carnegie Mellon University and the  
Software Engineering Institute is furnished on an "as is"  
basis. Carnegie Mellon University makes no warranties of any  
kind, either expressed or implied as to any matter including,  
but not limited to, warranty of fitness for a particular  
purpose or merchantability, exclusivity or results obtained  
from use of the material. Carnegie Mellon University does not  
make any warranty of any kind with respect to freedom from  
patent, trademark, or copyright infringement.  
  
-----BEGIN PGP SIGNATURE-----  
Version: 2.6.2  
  
iQCVAwUBN17H2HVP+x0t4w7BAQHspgP+JHCLMDLqm+n64pito2B5jQijAKkK0yEK  
P3/Lb8ZVgHgzAG9SuuOqBXY9ZxpaxM/gUEE3u4MAyo4ykJi6t3cMQfVDN0h+Ivn4  
hogmZa+Z4GeocXNvC6KF0KvTA/wgDvA45EXZTJM9tDYNhc93yEJBmUZl7v36WXWM  
nJ+/XDo+EP4=  
=fAiP  
-----END PGP SIGNATURE-----  
  
------------------------------------------------------------------------------------  
  
Date: Thu, 10 Jun 1999 09:18:20 -0700  
From: Mark Zielinski <markz@SECURITY.INFICAD.COM>  
To: BUGTRAQ@netspace.org  
Subject: Re: CERT Advisory CA-99.05 - statd-automountd  
  
This CERT Advisory has failed to mention a few things that I would like to  
point out.  
  
CERT Advisory CA-99.05 reports SunOS 5.6 automountd as not being susceptible  
to the rpc.statd bounce attack. This is incorrect. SunOS 5.6 is indeed  
vulnerable, it is just harder to exploit because it involves DNS spoofing.  
  
Solaris 7 is not vulnerable because the RPC services are no longer run as  
root and automountd will only accept connections from a uid of zero. This  
has nothing to due with Sun incorporating a patch into version 7.  
  
System Administrators should also consider the following. A system  
running SunOS 5.5.1 with a patched automountd (that has not patched rpc.statd)  
is STILL vulnerable. This is because the automountd patch for SunOS 5.5.1  
only stops non-root local users from specifying the command to be run for  
mounting filesystems. Any system running rpc.statd in this situation as  
root (which is default) can still be exploited remotely.  
  
System administrators should also take note that simply disabling rpcbind  
will not stop this problem from being exploited.  
  
Both SUN Microsystems and CERT fail to mention that earlier versions of  
SunOS are also affected. I understand that most systems these days are  
not running these versions, however patches and advisories should still be  
released for those who are running them.  
  
SunOS versions 4.1.3 and 4.1.4 are still vulnerable to the rpc.statd  
bounce attack with no patches currently released.  
  
Best regards,  
  
Mark Zielinski  
System Security Engineer  
Inficad Communications  
  
-----BEGIN PGP PUBLIC KEY BLOCK-----  
Version: 2.6.2  
  
mQCNAzdE6tAAAAEEAMfnIe65PMbIGxZsegpaMME7hSxpJ0HsM0G9hrkR+EXXOLnH  
Rn6oFnaR8mKLGW+3LyAVrDE34O87EyaQ8GKqpDlN9n3wLn7Wm5WuCCRJvEHxwCZZ  
XgQpQoCMQEZNexal3dwVJNRKAvWDFE+rltplYLM8uGLyDnaXOt6aFnLygXxNAAUR  
tA5NYXJrIFppZWxpbnNraQ==  
=+Gj/  
-----END PGP PUBLIC KEY BLOCK-----  
  
------------------------------------------------------------------------------------  
  
Date: Fri, 11 Jun 1999 13:10:19 -0700 (PDT)  
From: CIAC Mail User <ciac@rumpole.llnl.gov>  
To: ciac-bulletin@rumpole.llnl.gov  
Subject: CIAC Bulletin J-045: Vulnerability in statd exposes vulnerability in automountd  
  
[ For Public Release ]  
-----BEGIN PGP SIGNED MESSAGE-----  
  
__________________________________________________________  
  
The U.S. Department of Energy  
Computer Incident Advisory Capability  
___ __ __ _ ___  
/ | /_\ /  
\___ __|__ / \ \___  
__________________________________________________________  
  
INFORMATION BULLETIN  
  
Vulnerability in statd exposes vulnerability in automountd  
  
June 10, 1999 21:00 GMT Number J-045  
______________________________________________________________________________  
  
PROBLEM: Two vulnerabilities are address in this advisory:  
1) rpc.statd, a program used to communicate state changes among  
NFS clients and servers.  
2) automountd, a program used to automatically mount certain  
types of file systems.  
By exploiting these two vulnerabilities simultaneously, a  
Remote intruder is able to "bounce" rpc calls from the  
rpc.statd service to the automountd service on the same  
targeted machine.  
PLATFORM: SGI IRIX 5.3 is vulnerable to rpc.statd but no longer  
supported. Unpatched IRIX 6.2 and above are vulnerable  
to automountd.  
SunOS 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5, 5.5_x86,  
5.4, 5.4_x86, and 5.3.  
DAMAGE: This combination of vulnerabilities allows a remote  
intruder to execute arbitrary commands with the administrative  
privileges of the automountd service, typically root.  
SOLUTION: Apply the vendor-supplied patch.  
______________________________________________________________________________  
VULNERABILITY Risk is high due to these vulnerabilities having been widely  
ASSESSMENT: discussed on public forums such as BugTraq.   
______________________________________________________________________________  
  
[ Start CERT Advisory ]  
  
CERT Advisory CA-99-05 Vulnerability in statd exposes vulnerability in  
automountd  
  
Original issue date: June 9, 1999  
Source: CERT/CC  
  
Systems Affected  
  
Systems running older versions of rpc.statd and automountd  
  
I. Description  
  
This advisory describes two vulnerabilities that are being used  
together by intruders to gain access to vulnerable systems. The first  
vulnerability is in rpc.statd, a program used to communicate state  
changes among NFS clients and servers. The second vulnerability is in  
automountd, a program used to automatically mount certain types of  
file systems. Both of these vulnerabilities have been widely discussed  
on public forums, such as BugTraq, and some vendors have issued  
security advisories related to the problems discussed here. Because of  
the number of incident reports we have received, however, we are  
releasing this advisory to call attention to these problems so that  
system and network administrators who have not addressed these  
problems do so immediately.  
  
The vulnerability in rpc.statd allows an intruder to call arbitrary  
rpc services with the privileges of the rpc.statd process. The called  
rpc service may be a local service on the same machine or it may be a  
network service on another machine. Although the form of the call is  
constrained by rpc.statd, if the call is acceptable to another rpc  
service, the other rpc service will act on the call as if it were an  
authentic call from the rpc.statd process.  
  
The vulnerability in automountd allows a local intruder to execute  
arbitrary commands with the privileges of the automountd process. This  
vulnerability has been widely known for a significant period of time,  
and patches have been available from vendors, but many systems remain  
vulnerable because their administrators have not yet applied the  
appropriate patches.  
  
By exploiting these two vulnerabilities simultaneously, a remote  
intruder is able to "bounce" rpc calls from the rpc.statd service to  
the automountd service on the same targeted machine. Although on many  
systems the automountd service does not normally accept traffic from  
the network, this combination of vulnerabilities allows a remote  
intruder to execute arbitrary commands with the administrative  
privileges of the automountd service, typically root.  
  
Note that the rpc.statd vulnerability described in this advisory is  
distinct from the vulnerabilities described in CERT Advisories  
CA-96.09 and CA-97.26.  
  
II. Impact  
  
The vulnerability in rpc.statd may allow a remote intruder to call  
arbitrary rpc services with the privileges of the rpc.statd process,  
typically root. The vulnerability in automountd may allow a local  
intruder to execute arbitrary commands with the privileges of the  
automountd service.  
  
By combining attacks exploiting these two vulnerabilities, a remote  
intruder is able to execute arbitrary commands with the privileges of  
the automountd service.  
  
Note  
  
It may still be possible to cause rpc.statd to call other rpc services  
even after applying patches which reduce the privileges of rpc.statd.  
If there are additional vulnerabilities in other rpc services  
(including services you have written), an intruder may be able to  
exploit those vulnerabilities through rpc.statd. At the present time,  
we are unaware of any such vulnerabilitity that may be exploited  
through this mechanism.  
  
III. Solutions  
  
Install a patch from your vendor  
  
Appendix A contains input from vendors who have provided information  
for this advisory. We will update the appendix as we receive more  
information. If you do not see your vendor's name, the CERT/CC did not  
hear from that vendor. Please contact your vendor directly.  
  
Appendix A: Vendor Information  
  
Caldera  
  
Caldera's currently not shipping statd.  
  
Compaq Computer Corporation  
  
(c) Copyright 1998, 1999 Compaq Computer Corporation. All rights  
reserved.  
SOURCE: Compaq Computer Corporation  
Compaq Services  
Software Security Response Team USA  
This reported problem has not been found to affect the as  
shipped, Compaq's Tru64/UNIX Operating Systems Software.  
- Compaq Computer Corporation  
  
Data General  
  
We are investigating. We will provide an update when our  
investigation is complete.  
  
Hewlett-Packard Company  
  
HP is not vulnerable.  
  
The Santa Cruz Operation, Inc.  
  
No SCO products are vulnerable.  
  
Silicon Graphics, Inc.  
  
% IRIX  
  
% rpc.statd  
IRIX 6.2 and above ARE NOT vulnerable.  
IRIX 5.3 is vulnerable, but no longer supported.  
% automountd  
With patches from SGI Security Advisory  
19981005-01-PX installed,  
IRIX 6.2 and above ARE NOT vulnerable.  
  
% Unicos  
  
Currently, SGI is investigating and no further information  
is  
available for public release at this time.  
  
As further information becomes available, additional  
advisories  
will be issued via the normal SGI security information  
distribution  
method including the wiretap mailing list.  
SGI Security Headquarters  
http://www.sgi.com/Support/security  
  
Sun Microsystems Inc.  
  
The following patches are available:  
rpc.statd:  
Patch OS Version  
_____ __________  
106592-02 SunOS 5.6  
106593-02 SunOS 5.6_x86  
104166-04 SunOS 5.5.1  
104167-04 SunOS 5.5.1_x86  
103468-04 SunOS 5.5  
103469-05 SunOS 5.5_x86  
102769-07 SunOS 5.4  
102770-07 SunOS 5.4_x86  
102932-05 SunOS 5.3  
The fix for this vulnerability was integrated in SunOS  
5.7 (Solaris 7) before it was released.  
automountd:  
104654-05 SunOS 5.5.1  
104655-05 SunOS 5.5.1_x86  
103187-43 SunOS 5.5  
103188-43 SunOS 5.5_x86  
101945-61 SunOS 5.4  
101946-54 SunOS 5.4_x86  
101318-92 SunOS 5.3  
SunOS 5.6 (Solaris 2.6) and SunOS 5.7 (Solaris 7) are not  
vulnerable.  
Sun security patches are available at:  
  
http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-li  
cense&nav=pub-patches  
_______________________________________________________________  
  
Our thanks to Olaf Kirch of Caldera for his assistance in  
helping us understand the problem and Chok Poh of Sun  
Microsystems for his assistance in helping us construct this  
advisory.  
_______________________________________________________________  
  
This document is available from:  
http://www.cert.org/advisories/CA-99-05-statd-automountd.html.  
_______________________________________________________________  
  
  
[ End CERT Advisory ]  
  
______________________________________________________________________________  
  
CIAC wishes to acknowledge CERT for the information contained in this  
bulletin.  
______________________________________________________________________________  
  
  
For additional information or assistance, please contact CIAC:  
  
CIAC, the Computer Incident Advisory Capability, is the computer  
security incident response team for the U.S. Department of Energy  
(DOE) and the emergency backup response team for the National  
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore  
National Laboratory in Livermore, California. CIAC is also a founding  
member of FIRST, the Forum of Incident Response and Security Teams, a  
global organization established to foster cooperation and coordination  
among computer security teams worldwide.  
  
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC  
can be contacted at:  
Voice: +1 925-422-8193  
FAX: +1 925-423-8002  
STU-III: +1 925-423-2604  
E-mail: ciac@llnl.gov  
  
For emergencies and off-hour assistance, DOE, DOE contractor sites,  
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -  
8AM PST), use one of the following methods to contact CIAC:  
  
1. Call the CIAC voice number 925-422-8193 and leave a message, or  
  
2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or  
  
3. Send e-mail to 4498369@skytel.com, or  
  
4. Call 800-201-9288 for the CIAC Project Leader.  
  
Previous CIAC notices, anti-virus software, and other information are  
available from the CIAC Computer Security Archive.  
  
World Wide Web: http://www.ciac.org/  
(or http://ciac.llnl.gov)  
Anonymous FTP: ftp.ciac.org  
(or ciac.llnl.gov)  
Modem access: +1 (925) 423-4753 (28.8K baud)  
+1 (925) 423-3331 (28.8K baud)  
  
CIAC has several self-subscribing mailing lists for electronic  
publications:  
1. CIAC-BULLETIN for Advisories, highest priority - time critical  
information and Bulletins, important computer security information;  
2. SPI-ANNOUNCE for official news about Security Profile Inspector  
(SPI) software updates, new features, distribution and  
availability;  
3. SPI-NOTES, for discussion of problems and solutions regarding the  
use of SPI products.  
  
Our mailing lists are managed by a public domain software package  
called Majordomo, which ignores E-mail header subject lines. To  
subscribe (add yourself) to one of our mailing lists, send the  
following request as the E-mail message body, substituting  
ciac-bulletin, spi-announce OR spi-notes for list-name:  
  
E-mail to ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov:  
subscribe list-name  
e.g., subscribe ciac-bulletin  
  
You will receive an acknowledgment email immediately with a confirmation  
that you will need to mail back to the addresses above, as per the  
instructions in the email. This is a partial protection to make sure  
you are really the one who asked to be signed up for the list in question.  
  
If you include the word 'help' in the body of an email to the above address,  
it will also send back an information file on how to subscribe/unsubscribe,  
get past issues of CIAC bulletins via email, etc.  
  
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing  
communities receive CIAC bulletins. If you are not part of these  
communities, please contact your agency's response team to report  
incidents. Your agency's team will coordinate with CIAC. The Forum of  
Incident Response and Security Teams (FIRST) is a world-wide  
organization. A list of FIRST member organizations and their  
constituencies can be obtained via WWW at http://www.first.org/.  
  
This document was prepared as an account of work sponsored by an  
agency of the United States Government. Neither the United States  
Government nor the University of California nor any of their  
employees, makes any warranty, express or implied, or assumes any  
legal liability or responsibility for the accuracy, completeness, or  
usefulness of any information, apparatus, product, or process  
disclosed, or represents that its use would not infringe privately  
owned rights. Reference herein to any specific commercial products,  
process, or service by trade name, trademark, manufacturer, or  
otherwise, does not necessarily constitute or imply its endorsement,  
recommendation or favoring by the United States Government or the  
University of California. The views and opinions of authors expressed  
herein do not necessarily state or reflect those of the United States  
Government or the University of California, and shall not be used for  
advertising or product endorsement purposes.  
  
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)  
  
J-035: Linux Blind TCP Spoofing  
J-036: LDAP Buffer overflow against Microsoft Directory Services  
J-037: W97M.Melissa Word Macro Virus  
J-038: HP-UX Vulnerabilities (hpterm, ftp)  
J-039: HP-UX Vulnerabilities (MC/ServiceGuard & MC/LockManager, DES  
J-040: HP-UX Security Vulnerability in sendmail  
J-041: Cisco IOS(R) Software Input Access List Leakage with NAT  
J-042: Web Security  
J-043: (bulletin in process)  
J-044: Tru64/Digital UNIX (dtlogin) Security Vulnerability  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: 4.0 Business Edition  
  
iQCVAwUBN2E1qrnzJzdsy3QZAQHcqQQAzStiURTt0eWZTvrLlPeNIVyNyshW4bpP  
vz5J1hum0BRYVdSAD07iGfdjooGJrKSGQY7PhvFskOK/ylbrx/tAhkdcvz423Mvw  
y7lUN9RlMV3W0nxYTF75+IIr1CM1x6GP6Ahj+G+b8FwNojY0JQWdXj2AbKUrXEC5  
Xk8uCoJIehM=  
=Vkr8  
-----END PGP SIGNATURE-----  
  
------------------------------------------------------------------------------------  
  
Date: Fri, 11 Jun 1999 15:43:33 -0400  
From: Nadeem Riaz <nads@bleh.org>  
To: BUGTRAQ@netspace.org  
Subject: Re: CERT Advisory CA-99.05 - statd-automountd  
  
Hi,  
  
Is there a more complete list of systems that are or are not vulnerable  
to these latest security holes. The advisory implies that only vendors who  
responded with information are in the list of vulnerable or non-vulnerable  
operating systems. Are the statd's shipped with the latest version of RedHat  
(6.0) or FreeBSD-stable (3.2) vulnerable? -- Thanks  
  
  
-- Nadeem Riaz  
  
------------------------------------------------------------------------------------  
  
Date: Fri, 11 Jun 1999 17:37:10 -0400  
From: Scott Cromar <cromar@PRINCETON.EDU>  
To: BUGTRAQ@netspace.org  
Subject: Re: CERT Advisory CA-99.05 - statd-automountd  
  
Re: the SunOS 4.1.4 dimension of this problem:  
  
Sun tells me that patch 102516-06 and later protect against this issue.  
(This response was in reaction to Sun Service Order 3993470.) I am not in  
a position to check the validity of their response.  
  
--Scott  
  
On Thu, 10 Jun 1999, Mark Zielinski wrote:  
  
> This CERT Advisory has failed to mention a few things that I would like to  
> point out.  
>  
> CERT Advisory CA-99.05 reports SunOS 5.6 automountd as not being susceptible  
> to the rpc.statd bounce attack. This is incorrect. SunOS 5.6 is indeed  
> vulnerable, it is just harder to exploit because it involves DNS spoofing.  
>  
> Solaris 7 is not vulnerable because the RPC services are no longer run as  
> root and automountd will only accept connections from a uid of zero. This  
> has nothing to due with Sun incorporating a patch into version 7.  
>  
> System Administrators should also consider the following. A system  
> running SunOS 5.5.1 with a patched automountd (that has not patched rpc.statd)  
> is STILL vulnerable. This is because the automountd patch for SunOS 5.5.1  
> only stops non-root local users from specifying the command to be run for  
> mounting filesystems. Any system running rpc.statd in this situation as  
> root (which is default) can still be exploited remotely.  
>  
> System administrators should also take note that simply disabling rpcbind  
> will not stop this problem from being exploited.  
>  
> Both SUN Microsystems and CERT fail to mention that earlier versions of  
> SunOS are also affected. I understand that most systems these days are  
> not running these versions, however patches and advisories should still be  
> released for those who are running them.  
>  
> SunOS versions 4.1.3 and 4.1.4 are still vulnerable to the rpc.statd  
> bounce attack with no patches currently released.  
>  
> Best regards,  
>  
> Mark Zielinski  
> System Security Engineer  
> Inficad Communications  
  
`