sunrpc vulnerabilities
Updated 3/20/03
CVE 2002-0391
CAN 2003-0028
Impact
If an affected service is running, a remote attacker could
execute arbitrary commands with root privileges.
Background
Sun's Remote
Procedure Call package (known as RPC, or sunrpc) is
used by a number of network services to communicate with
programs on client hosts. It uses a protocol called
External Data Representation (XDR) which allows RPC programs
to transfer data in a format which is consistent across
different platforms. RPC services usually run on high
numbered TCP or UDP ports. There is also a port mapper
service which tells clients which port corresponds to each
RPC service.
The Problem
There are two vulnerabilities in Sun's RPC implementation,
a buffer overflow in the xdr_array
function and an integer overflow in the xdrmem_getbytes function.
A remote attacker could execute arbitrary commands
with root privileges by passing specially crafted
input to a network service which uses either of these two
functions.
Sun's libnsl library, BSD-derived libc libraries, and GNU
C's glibc library 2.3.1 and earlier
are affected by these vulnerabilities.
Since xdr_array and xdrmem_getbytes are found in these libraries
rather than a specific RPC program, any RPC service which
uses these libraries could be affected. Additionally, any
other services which use the XDR functions, such as
OpenAFS and MIT Kerberos 5, could be affected.
Resolution
See CERT Advisories
2002-25 and
2003-10
for patch or upgrade information from your vendor. Note
that it will be necessary to recompile statically linked
applications after installing the patch or upgrade.
It would also be advisable to disable all unnecessary RPC
services, which are typically enabled in
/etc/inetd.conf and in the
system boot scripts, /etc/rc*, and to
block high numbered ports at the network perimeter except
for those which are needed. Of particular importance are
rpc.cmsd, dmispd, and
kadmind, which are known to be exploitable
and should be disabled or blocked.
Where can I read more about this?
These vulnerabilities were reported in CERT Advisories
2002-25 and
2003-10.