sunrpc vulnerabilities

Updated 3/20/03
CVE 2002-0391
CAN 2003-0028

Impact

If an affected service is running, a remote attacker could execute arbitrary commands with root privileges.

Background

Sun's Remote Procedure Call package (known as RPC, or sunrpc) is used by a number of network services to communicate with programs on client hosts. It uses a protocol called External Data Representation (XDR) which allows RPC programs to transfer data in a format which is consistent across different platforms. RPC services usually run on high numbered TCP or UDP ports. There is also a port mapper service which tells clients which port corresponds to each RPC service.

The Problem

There are two vulnerabilities in Sun's RPC implementation, a buffer overflow in the xdr_array function and an integer overflow in the xdrmem_getbytes function. A remote attacker could execute arbitrary commands with root privileges by passing specially crafted input to a network service which uses either of these two functions.

Sun's libnsl library, BSD-derived libc libraries, and GNU C's glibc library 2.3.1 and earlier are affected by these vulnerabilities. Since xdr_array and xdrmem_getbytes are found in these libraries rather than a specific RPC program, any RPC service which uses these libraries could be affected. Additionally, any other services which use the XDR functions, such as OpenAFS and MIT Kerberos 5, could be affected.

Resolution

See CERT Advisories 2002-25 and 2003-10 for patch or upgrade information from your vendor. Note that it will be necessary to recompile statically linked applications after installing the patch or upgrade.

It would also be advisable to disable all unnecessary RPC services, which are typically enabled in /etc/inetd.conf and in the system boot scripts, /etc/rc*, and to block high numbered ports at the network perimeter except for those which are needed. Of particular importance are rpc.cmsd, dmispd, and kadmind, which are known to be exploitable and should be disabled or blocked.

Where can I read more about this?

These vulnerabilities were reported in CERT Advisories 2002-25 and 2003-10.