[NEWS] Heap Overflow in Solaris cachefs Daemon
From: support@securiteam.comDate: 07/25/02
- Previous message: support@securiteam.com: "[UNIX] Cobalt Qube 3 Administration Page Insecurity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 25 Jul 2002 12:10:50 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Heap Overflow in Solaris cachefs Daemon
------------------------------------------------------------------------
SUMMARY
This advisory describes a vulnerability that affects Cisco products and
No other Cisco product is vulnerable.
Sun is working on a patch. Until the patch is released, all affected
DETAILS
Products Affected:
The following products are affected:
* Products running on Solaris 2.6 are vulnerable unless CSCOh013.pkg
* Cisco Element Management Framework (CEMF) and Related Products
* Cisco IP Manager
* Cisco Secure ACS for UNIX
The following products are not affected:
No other Cisco products are affected.
Details:
* Sun Alert Notification at
* CERT Advisory CA-2002-11 at
* This issue is also being referenced as CAN-2002-0085 (see
A remotely exploitable heap overflow exists in the cachefsd program. It is
According to Sun Microsystems, failed attempts to exploit this
Impact:
Software Versions and Fixes:
Obtaining Fixed Software:
Please do not contact either "psirt@cisco.com" or
Workarounds:
Comment out cachefsd in /etc/inetd.conf as shown below:
* For Solaris 2.6, 7 and 8:
Once the line is commented out either:
$ kill -HUP <PID of inetd>
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com> Cisco
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
====================
DISCLAIMER:
applications that are installed on the Solaris operating system, and is
based on the vulnerability of a common service within the Solaris
operating system, not due to a defect of the Cisco product or application.
A vulnerability in the "cachefs" program was discovered that enables an
attacker to execute arbitrary code under Solaris OS. This vulnerability
was publicly announced in the CERT Advisory CA-2002-11. All Cisco products
and applications that are installed on Solaris OS are considered
vulnerable to the underlying operating system vulnerability, unless the
workaround was applied. This vulnerability is described in details in Sun
Alert Notification at:
<http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309>
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309 .
customers are advised to apply the workaround described in the workaround
section.
All products that are based on the following Solaris releases are
affected:
* Solaris 2.5.1
* Solaris 2.6
* Solaris 7
* Solaris 8
* Media Gateway Controller (MGC) and Related Products
* Products running on Solaris 2.5.1 are vulnerable unless CSCOh013.pkg
release 1.0(9) or later has been installed. The product that is based on
this version of Solaris is Signaling Controller 2200 (SC2200).
release 1.0(9) or later has been installed. Products running on Solaris 8
are vulnerable unless CSCOh013.pkg release 2.0(2) or later has been
installed. The products that are based on these versions of Solaris are:
* SC2200
* Cisco Virtual Switch Controller (VSC3000)
* Cisco PGW2200 Public Switched Telephone Network (PSTN) Gateway
* Cisco Billing and Management Server (BAMS)
* Cisco Voice Services Provisioning Tool (VSPT)
All releases of CEMF are vulnerable. The related products are:
* Cisco 12000 Manager
* Cisco DSL Manager
* Element Manager Software for the Cisco 7200 and 7400 Series Routers
* Element Manager Software for the Catalyst 6500 Series & Cisco 7600
Series Routers
* Universal Gateway Manager
* Cisco Cable Manager
* Cisco Media Gateway Manager
* Cisco MGC (Media Gateway Controller) Node Manager
*
All releases.
All releases.
* BTS10200
* Cisco IDS
This vulnerability is described in the following advisories/notifications:
<http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309>
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309.
<http://www.cert.org/advisories/CA-2002-11.html>
http://www.cert.org/advisories/CA-2002-11.html.
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0085>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0085).
installed by default on the Sun Solaris OS. Cachefsd caches requests for
operations on remote file systems mounted via the use of NFS protocol. An
attacker can send a crafted RPC request to the cachefsd program to exploit
the vulnerability.
vulnerability may leave a core dump file in the root directory. Note that
the core file may be created by some other process and that its presence
is not a certain sign of a compromise. Additionally, if the file
/etc/cachefstab exists, it may contain entries other than a known cache
directories (e.g., /cachefs/cache0).
It is possible to execute an arbitrary code on the vulnerable computer.
That can lead to a full OS compromise where an attacker can gain root
privileges.
Sun Microsystems is working on a patch. Their latest status on this
vulnerability is available at
<http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309>
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309
Currently Cisco cannot offer fixed software for this vulnerability. Cisco
will patch all affected products after Sun releases patches for Solaris
OS. All affected customers are advised to apply the workaround.
"security-alert@cisco.com" for software upgrades.
The workaround is applicable to all Cisco products mentioned in the
advisory. For MGC and related products, if you have applied the script
from CSCO013.pkg you are protected and you do not have to apply this
workaround.
#100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd
cachefsd
* Solaris 2.5.1:
#100235/1 stream rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd
cachefsd
* Reboot, or
* Send a HUP signal to inetd(1M) and kill existing cachefsd processes,
for example, on Solaris 2.5.1 and 2.6 do the following:
$ kill <PIDs of any cachefsd processes> Solaris 7 and 8 do the
following:
$ pkill -HUP inetd
$ pkill cachefsd
Systems Product Security Incident Response Team.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
Relevant Pages
|
