SunRPC xdr_array buffer overflow

sunrpc-xdr-array-bo (9170)

High Risk

Description:

A buffer overflow in the xdr_array filter primitive in all SunRPC (Sun Remote Procedure Call) implementations could allow a remote attacker to execute arbitrary code on the system. External Date Representation (XDR) primitives are routines that allow for uniform representation of basic or constructed data types, regardless of system architecture, by their translation to and from an external representation. The xdr_array filter primitive is used to translate variable length arrays. By passing an overly large number of elements to xdr_array, a remote attacker could overflow a buffer and execute arbitrary code on the system with root privileges.

Platforms Affected:

• Compaq, Tru64 4.0f
• Compaq, Tru64 4.0g
• Compaq, Tru64 5.0a
• Compaq, Tru64 5.1
• Compaq, Tru64 5.1a
• Conectiva, Linux 8.0
• Debian, Debian Linux 2.2
• Debian, Debian Linux 3.0
• EngardeLinux, Secure Linux
• FreeBSD, FreeBSD Ports Collection
• Gentoo, Linux
• HP, HP-UX 10.20
• HP, HP-UX 10.24
• HP, HP-UX 11.00
• HP, HP-UX 11.04
• HP, HP-UX 11.11
• HP, HP-UX 11.22
• MandrakeSoft, Mandrake Linux 7.1
• MandrakeSoft, Mandrake Linux 7.2
• MandrakeSoft, Mandrake Linux 8.0 PPC
• MandrakeSoft, Mandrake Linux 8.0
• MandrakeSoft, Mandrake Linux 8.1 IA64
• MandrakeSoft, Mandrake Linux 8.1
• MandrakeSoft, Mandrake Linux 8.2
• MandrakeSoft, Mandrake Linux 8.2 PPC
• MandrakeSoft, Mandrake Linux Corporate Server 1.0.1
• Microsoft, Windows Services for UNIX 3.0
• MIT, Kerberos
• NetBSD, NetBSD 1.4
• NetBSD, NetBSD 1.4.1
• NetBSD, NetBSD 1.4.2
• NetBSD, NetBSD 1.4.3
• NetBSD, NetBSD 1.5
• NetBSD, NetBSD 1.5.1
• NetBSD, NetBSD 1.5.2
• NetBSD, NetBSD 1.5.3
• NetBSD, NetBSD 1.6 beta
• NetBSD, NetBSD CURRENT
• OpenAFS, OpenAFS 1.0 - 1.2.5
• OpenAFS, OpenAFS 1.3.0 - 1.3.2
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Linux 6.2
• RedHat, Linux 7
• RedHat, Linux 7.1
• RedHat, Linux 7.1 for iSeries
• RedHat, Linux 7.1 for pSeries
• RedHat, Linux 7.2
• RedHat, Linux 7.3
• SCO, Caldera OpenLinux Server 3.1
• SCO, Caldera OpenLinux Server 3.1.1
• SCO, Caldera OpenLinux Workstation 3.1
• SCO, Caldera OpenLinux Workstation 3.1.1
• Sun, Solaris 2.5.1
• Sun, Solaris 2.6
• Sun, Solaris 7.0
• Sun, Solaris 8
• Sun, Solaris 9
• SuSE, SuSE eMail Server III
• SuSE, SuSE Linux 7.0
• SuSE, SuSE Linux 7.1
• SuSE, SuSE Linux 7.2
• SuSE, SuSE Linux 7.3
• SuSE, SuSE Linux 8.0
• SuSE, SuSE Linux Connectivity Server
• SuSE, SuSE Linux Database Server
• SuSE, SuSE Linux Enterprise Server
• SuSE, SuSE Linux Firewall
• SuSE, SuSE Linux Office Server

Remedy:

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
SunrpcXdrArrayBo
sunrpc-xdr-array-bo

For Virtual Patch:

Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 111 - Note: An exploit in the wild would most likely use portmapper referencing, however, port guessing is possible

For Manual Protection:

Apply the appropriate patch for this vulnerability, as listed in Sun Alert ID: 46122. See References.

For FreeBSD 4.4 through 4.6:
Apply the appropriate patch, as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-02:34.rpc. See References.

For OpenBSD 3.1:
Apply the appropriate patch, as listed in OpenBSD 3.1 errata, 012: SECURITY FIX: July 29, 2002. See References.

For NetBSD:
Apply the appropriate patch, as listed in NetBSD Security Advisory 2002-011. See References.

For Mac OS X:
Apply Security Update 2002-08-02. See References.

For Debian GNU/Linux 3.0:
Upgrade to the latest krb5 package (1.2.4-5woody1 or later), as listed in DSA-143-1. See References.

For Debian GNU/Linux 3.0 running OpenAFS:
Upgrade to the latest OpenAFS package (1.2.3final2-6 or later), as listed in DSA-142-1. See Refererences.

For OpenAFS:
Upgrade to the latest stable release of OpenAFS (1.2.6 or later), or apply the patch for this vulnerability, as listed in OpenAFS Security Advisory 2002-001. See References.

For Debian GNU/Linux 2.2 containing libc6 and glibc packages:
Upgrade to the latest libc6 package (2.1.3-23 or later) and glibc package (2.1.3-23 or later), as listed in DSA-149-2. See Refererences.

For Debian GNU/Linux 3.0 containing libc6 and glibc packages:
Upgrade to the latest libc6 package (2.2.5-11.2 or later) and glibc package (2.2.5-11.2 or later), as listed in DSA-149-2. See Refererences.

For Debian GNU/Linux 3.0 containing libc6 packages:< BR> Upgrade to the latest dietlibc package (2.2.5-11.1 or later), as listed in DSA-149-1. See Refererences.

For Red Hat Linux:
Upgrade to the latest glibc package, as listed below. Refer to RHSA-2002:166-07 for more information. See References.

Red Hat 6.2: 2.1.3-26 or later
Red Hat 7.0: 2.2.4-18.7.0.6 or later
Red Hat 7.1 and 7.2: 2.2.4-29 or later
Red Hat 7.3: 2.2.5-39 or later

For Red Hat Linux containing the krb5 packages:
Upgrade to the latest glibc package, as listed below. Refer to RHSA-2002:173 for more information. See References.

Red Hat 6.2: 1.1.1-29 or later
Red Hat 7.0 and 7.2: 1.2.2-14 or later
Red Hat 7.1 and 7.2: 1.2.2-14 or later
Red Hat 7.3: 1.2.4-2 or later

For Trustix Secure Linux:
Upgrade to the latest glibc package, as listed below. Refer to Trustix Secure Linux Security Advisory #2002-0067 for more information. See References.

For HP Tru64 UNIX:
Apply the appropriate patch for your system, as listed in Compaq SECURITY BULLETIN SRB0039W. See References.

For FreeBSD Ports Collection:
Upgrade to the latest ports collection, as listed in FreeBSD Security Notice FreeBSD-SN-02:05. See References.

For SuSE Linux:
Upgrade to the latest glibc package, as listed below. Refer to SuSE Security Announcement SuSE-SA:2002:031 for more information. See References.

SuSE Linux 7.2 (Intel): 2.2.5-123 or later
SuSE Linux 7.3 (Intel): 2.2.4-75 or later
SuSE Linux 7.3 (SPARC): 2.2.4-43 or later
SuSE Linux 7.3 (PPC): 2.2.4-63 or later
SuSE Linux 8.0 (Intel): 2.2.5-123 or later

For Mandrake Linux:
Upgrade to the latest krb5 package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2002:057 : krb5 for more information. See References.

Mandrake Linux 8.1, 8.1(IA640 and 8.2: 1.2.2-17.1 or later

For Gentoo Linux containing the glibc packages:
Upgrade versions sys-libc/glibc-2.2.5-r5 and earlier, as listed in Gentoo Linux Security Announcement 2002-09-05 11:00 UTC. See References.

For Gentoo Linux containing the glibc packages:
Upgrade versions sys-libs/glibc-2.2.5-r6 and earlier, as listed in Gentoo Linux Security Announcement 2002-09-27 10:00 UTC. See References.

For Microsoft Services for Unix 3.0 running Interix SDK:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS02-057. See References.

EnGarde Secure Linux: Community Edition:
Upgrade to the latest version of glibc (2.1.3-1.0.6 or later), as listed in EnGarde Secure Linux Security Advisory ESA-20021003-021. See References.

For Conectiva Linux 8.0:
Upgrade to the latest krb5 package (1.2.3-3U8_2cl or later) as listed in Conectiva Linux Security Announcement CLSA-2002:515 for more information. See References.

For Caldera OpenLinux 3.1 and 3.1.1 (Workstation and Server):
Upgrade to the latest glibc package (2.2.4-25 or later), as listed in SCO Security Advisory CSSA-2002-055.0. See References.

For HP-UX:
Apply the appropriate patch for your system, as listed in Hewlett-Packard Company Security Bulletin HPSBUX0209-215. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

As a workaround, system administrators should disable all RPC services that are not explicitly required.

Consequences:

Gain Access

References:

• Apple Computer, Inc. Product Security Incident Response, Security Update 2002-08-02 at http://www.info.apple.com/usen/security/security_updates.html. (Sun RPC: Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR decoder. Details are available via: http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823)
• CERT Advisory CA-2002-25, Integer Overflow In XDR Library at http://www.cert.org/advisories/CA-2002-25.html.
• CIAC Information Bulletin M-111, Integer Overflow in External Data Representation (XDR) Library at http://www.ciac.org/ciac/bulletins/m-111.shtml.
• Compaq SECURITY BULLETIN SRB0039W, HP Tru64 UNIX - Potential Buffer Overflows & SSRT2229 Potential Denial of Service at http://ciac.llnl.gov/ciac/bulletins/m-118.shtml.
• Conectiva Linux Announcement CLSA-2002:515, krb5 -- Integer overflow in Kerberos' remote administration service at http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000515.
• EnGarde Secure Linux Security Advisory ESA-20021003-021, several security-related updates. at http://www.linuxsecurity.com/content/view/104167/109/.
• FreeBSD Security Advisory FreeBSD-SA-02:34.rpc, Sun RPC XDR decoder contains buffer overflow at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:34.rpc.asc.
• FreeBSD Security Notice FreeBSD-SN-02:05 , security issues in ports at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:05.asc.
• Gentoo Linux Security Announcement 2002-09-05 11:00 UTC, integer overflow at http://www.linuxsecurity.com/content/view/104104/109/.
• Gentoo Linux Security Announcement 2002-09-27 10:00 UTC, glibc at http://www.linuxsecurity.com/content/view/104154/109/.
• Gentoo Linux Security Announcement 2002-09-27 10:00 UTC, dietlibc at http://www.linuxsecurity.com/content/view/104154/109/.
• Internet Security Systems Security Advisory, July 31, 2002, Remote Buffer Overflow Vulnerability in Sun RPC at http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823.
• Microsoft Security Bulletin MS02-057, Flaw in Services for Unix 3.0 Interix SDK Could Allow Code Execution (Q329209) at http://www.microsoft.com/technet/security/bulletin/ms02-057.mspx.
• MIT krb5 Security Advisory 2002-001, Remote root vulnerability in MIT krb5 admin system at http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt.
• NetBSD Security Advisory 2002-011, Sun RPC XDR decoder contains buffer overflow at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc.
• OpenAFS Security Advisory 2002-001, Remote root vulnerability in OpenAFS servers at http://www.openafs.org/pages/security/OPENAFS-SA-2002-001.txt.
• OpenBSD 3.1 errata, 012: SECURITY FIX: July 29, 2002 at http://www.openbsd.org/errata.html#xdr.
• SCO Security Advisory CSSA-2002-055.0, Linux: RPC XDR buffer overflow at ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2002-055.0.txt.
• SGI Security Advisory 20020801-01-A, Sun RPC xdr_array vulnerability at ftp://patches.sgi.com/support/free/security/advisories/20020801-01-A.
• Sun Alert ID: 46122, Security Vulnerability in the Network Services Library, libnsl(3LIB) at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F46122.
• Sun Microsystems Web site, SunSolve Online at http://sunsolve.sun.com/.
• Trustix Secure Linux Security Advisory #2002-0067, glibc at http://www.linuxsecurity.com/content/view/104059/109/.
• BID-5356: Multiple Vendor Sun RPC xdr_array Buffer Overflow Vulnerability
• CVE-2002-0391: Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.
• DSA-142: openafs -- integer overflow
• DSA-143: krb5 -- integer overflow
• DSA-146: dietlibc -- integer overflow
• DSA-149: glibc -- integer overflow
• DSA-333: acm -- integer overflow
• MDKSA-2002:056: Loval root vulnerability in linuxconf
• MDKSA-2002:057: Updated krb5 packages fix remote root vulnerability
• MDKSA-2002:061: Updated glibc packages fix Sun RPC vulnerability
• RHSA-2002-166: Updated glibc packages fix vulnerabilities in RPC XDR decoder
• RHSA-2002-167: glibc security update
• RHSA-2002-172: Updated krb5 packages fix remote buffer overflow
• RHSA-2002-173: krb5 security update
• RHSA-2003-168: Updated kerberos packages fix various vulnerabilities
• RHSA-2003-212: Updated glibc packages fix vulnerabilities
• US-CERT VU#192995: Integer overflow in xdr_array() function when deserializing the XDR stream

Reported:

Jul 31, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page