SunRPC xdr_array buffer overflow

sunrpc-xdr-array-bo (9170)

High Risk

Description:

A buffer overflow in the xdr_array filter primitive in all SunRPC (Sun Remote Procedure Call) implementations could allow a remote attacker to execute arbitrary code on the system. External Date Representation (XDR) primitives are routines that allow for uniform representation of basic or constructed data types, regardless of system architecture, by their translation to and from an external representation. The xdr_array filter primitive is used to translate variable length arrays. By passing an overly large number of elements to xdr_array, a remote attacker could overflow a buffer and execute arbitrary code on the system with root privileges.

Consequences:

Gain Access

Remedy:

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
SunrpcXdrArrayBo
sunrpc-xdr-array-bo

For Virtual Patch:

Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 111 - Note: An exploit in the wild would most likely use portmapper referencing, however, port guessing is possible

For Manual Protection:

Apply the appropriate patch for this vulnerability, as listed in Sun Alert ID: 46122. See References.

For FreeBSD 4.4 through 4.6:
Apply the appropriate patch, as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-02:34.rpc. See References.

For OpenBSD 3.1:
Apply the appropriate patch, as listed in OpenBSD 3.1 errata, 012: SECURITY FIX: July 29, 2002. See References.

For NetBSD:
Apply the appropriate patch, as listed in NetBSD Security Advisory 2002-011. See References.

For Mac OS X:
Apply Security Update 2002-08-02. See References.

For Debian GNU/Linux 3.0:
Upgrade to the latest krb5 package (1.2.4-5woody1 or later), as listed in DSA-143-1. See References.

For Debian GNU/Linux 3.0 running OpenAFS:
Upgrade to the latest OpenAFS package (1.2.3final2-6 or later), as listed in DSA-142-1. See Refererences.

For OpenAFS:
Upgrade to the latest stable release of OpenAFS (1.2.6 or later), or apply the patch for this vulnerability, as listed in OpenAFS Security Advisory 2002-001. See References.

For Debian GNU/Linux 2.2 containing libc6 and glibc packages:
Upgrade to the latest libc6 package (2.1.3-23 or later) and glibc package (2.1.3-23 or later), as listed in DSA-149-2. See Refererences.

For Debian GNU/Linux 3.0 containing libc6 and glibc packages:
Upgrade to the latest libc6 package (2.2.5-11.2 or later) and glibc package (2.2.5-11.2 or later), as listed in DSA-149-2. See Refererences.

For Debian GNU/Linux 3.0 containing libc6 packages:< BR> Upgrade to the latest dietlibc package (2.2.5-11.1 or later), as listed in DSA-149-1. See Refererences.

For Red Hat Linux:
Upgrade to the latest glibc package, as listed below. Refer to RHSA-2002:166-07 for more information. See References.

Red Hat 6.2: 2.1.3-26 or later
Red Hat 7.0: 2.2.4-18.7.0.6 or later
Red Hat 7.1 and 7.2: 2.2.4-29 or later
Red Hat 7.3: 2.2.5-39 or later

For Red Hat Linux containing the krb5 packages:
Upgrade to the latest glibc package, as listed below. Refer to RHSA-2002:173 for more information. See References.

Red Hat 6.2: 1.1.1-29 or later
Red Hat 7.0 and 7.2: 1.2.2-14 or later
Red Hat 7.1 and 7.2: 1.2.2-14 or later
Red Hat 7.3: 1.2.4-2 or later

For Trustix Secure Linux:
Upgrade to the latest glibc package, as listed below. Refer to Trustix Secure Linux Security Advisory #2002-0067 for more information. See References.

For HP Tru64 UNIX:
Apply the appropriate patch for your system, as listed in Compaq SECURITY BULLETIN SRB0039W. See References.

For FreeBSD Ports Collection:
Upgrade to the latest ports collection, as listed in FreeBSD Security Notice FreeBSD-SN-02:05. See References.

For SuSE Linux:
Upgrade to the latest glibc package, as listed below. Refer to SuSE Security Announcement SuSE-SA:2002:031 for more information. See References.

SuSE Linux 7.2 (Intel): 2.2.5-123 or later
SuSE Linux 7.3 (Intel): 2.2.4-75 or later
SuSE Linux 7.3 (SPARC): 2.2.4-43 or later
SuSE Linux 7.3 (PPC): 2.2.4-63 or later
SuSE Linux 8.0 (Intel): 2.2.5-123 or later

For Mandrake Linux:
Upgrade to the latest krb5 package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2002:057 : krb5 for more information. See References.

Mandrake Linux 8.1, 8.1(IA640 and 8.2: 1.2.2-17.1 or later

For Gentoo Linux containing the glibc packages:
Upgrade versions sys-libc/glibc-2.2.5-r5 and earlier, as listed in Gentoo Linux Security Announcement 2002-09-05 11:00 UTC. See References.

For Gentoo Linux containing the glibc packages:
Upgrade versions sys-libs/glibc-2.2.5-r6 and earlier, as listed in Gentoo Linux Security Announcement 2002-09-27 10:00 UTC. See References.

For Microsoft Services for Unix 3.0 running Interix SDK:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS02-057. See References.

EnGarde Secure Linux: Community Edition:
Upgrade to the latest version of glibc (2.1.3-1.0.6 or later), as listed in EnGarde Secure Linux Security Advisory ESA-20021003-021. See References.

For Conectiva Linux 8.0:
Upgrade to the latest krb5 package (1.2.3-3U8_2cl or later) as listed in Conectiva Linux Security Announcement CLSA-2002:515 for more information. See References.

For Caldera OpenLinux 3.1 and 3.1.1 (Workstation and Server):
Upgrade to the latest glibc package (2.2.4-25 or later), as listed in SCO Security Advisory CSSA-2002-055.0. See References.

For HP-UX:
Apply the appropriate patch for your system, as listed in Hewlett-Packard Company Security Bulletin HPSBUX0209-215. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

As a workaround, system administrators should disable all RPC services that are not explicitly required.

References:

• Apple Computer, Inc. Product Security Incident Response: Security Update 2002-08-02. (Sun RPC: Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR decoder. Details are available via: http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823)
• CERT Advisory CA-2002-25: Integer Overflow In XDR Library.
• CIAC Information Bulletin M-111: Integer Overflow in External Data Representation (XDR) Library.
• Compaq SECURITY BULLETIN SRB0039W: HP Tru64 UNIX - Potential Buffer Overflows & SSRT2229 Potential Denial of Service.
• Conectiva Linux Announcement CLSA-2002:515: krb5 -- Integer overflow in Kerberos' remote administration service.
• EnGarde Secure Linux Security Advisory ESA-20021003-021: several security-related updates..
• FreeBSD Security Advisory FreeBSD-SA-02:34.rpc: Sun RPC XDR decoder contains buffer overflow.
• FreeBSD Security Notice FreeBSD-SN-02:05 : security issues in ports.
• Gentoo Linux Security Announcement 2002-09-05 11:00 UTC: integer overflow.
• Gentoo Linux Security Announcement 2002-09-27 10:00 UTC: glibc.
• Gentoo Linux Security Announcement 2002-09-27 10:00 UTC: dietlibc.
• Internet Security Systems Security Advisory, July 31, 2002: Remote Buffer Overflow Vulnerability in Sun RPC.
• Microsoft Security Bulletin MS02-057: Flaw in Services for Unix 3.0 Interix SDK Could Allow Code Execution (Q329209).
• MIT krb5 Security Advisory 2002-001: Remote root vulnerability in MIT krb5 admin system.
• NetBSD Security Advisory 2002-011: Sun RPC XDR decoder contains buffer overflow.
• OpenAFS Security Advisory 2002-001: Remote root vulnerability in OpenAFS servers.
• OpenBSD 3.1 errata: 012: SECURITY FIX: July 29, 2002.
• SCO Security Advisory CSSA-2002-055.0: Linux: RPC XDR buffer overflow.
• SGI Security Advisory 20020801-01-A: Sun RPC xdr_array vulnerability.
• Sun Alert ID: 46122: Security Vulnerability in the Network Services Library, libnsl(3LIB).
• Sun Microsystems Web site: SunSolve Online.
• Trustix Secure Linux Security Advisory #2002-0067: glibc.
• BID-5356: Multiple Vendor Sun RPC xdr_array Buffer Overflow Vulnerability
• CVE-2002-0391: Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.
• DSA-142: openafs -- integer overflow
• DSA-143: krb5 -- integer overflow
• DSA-146: dietlibc -- integer overflow
• DSA-149: glibc -- integer overflow
• DSA-333: acm -- integer overflow
• MDKSA-2002:056: Loval root vulnerability in linuxconf
• MDKSA-2002:057: Updated krb5 packages fix remote root vulnerability
• MDKSA-2002:061: Updated glibc packages fix Sun RPC vulnerability
• RHSA-2002-166: Updated glibc packages fix vulnerabilities in RPC XDR decoder
• RHSA-2002-167: glibc security update
• RHSA-2002-172: Updated krb5 packages fix remote buffer overflow
• RHSA-2002-173: krb5 security update
• RHSA-2003-168: Updated kerberos packages fix various vulnerabilities
• RHSA-2003-212: Updated glibc packages fix vulnerabilities
• US-CERT VU#192995: Integer overflow in xdr_array() function when deserializing the XDR stream

Platforms Affected:

• Compaq Tru64 4.0f
• Compaq Tru64 4.0g
• Compaq Tru64 5.0a
• Compaq Tru64 5.1
• Compaq Tru64 5.1a
• Conectiva Linux 8.0
• Debian Debian Linux 2.2
• Debian Debian Linux 3.0
• EngardeLinux Secure Linux
• FreeBSD FreeBSD Ports Collection
• Gentoo Linux
• HP HP-UX 10.20
• HP HP-UX 10.24
• HP HP-UX 11.00
• HP HP-UX 11.04
• HP HP-UX 11.11
• HP HP-UX 11.22
• MandrakeSoft Mandrake Linux 7.1
• MandrakeSoft Mandrake Linux 7.2
• MandrakeSoft Mandrake Linux 8.0 PPC
• MandrakeSoft Mandrake Linux 8.0
• MandrakeSoft Mandrake Linux 8.1 IA64
• MandrakeSoft Mandrake Linux 8.1
• MandrakeSoft Mandrake Linux 8.2
• MandrakeSoft Mandrake Linux 8.2 PPC
• MandrakeSoft Mandrake Linux Corporate Server 1.0.1
• Microsoft Windows Services for UNIX 3.0
• MIT Kerberos
• NetBSD NetBSD 1.4
• NetBSD NetBSD 1.4.1
• NetBSD NetBSD 1.4.2
• NetBSD NetBSD 1.4.3
• NetBSD NetBSD 1.5
• NetBSD NetBSD 1.5.1
• NetBSD NetBSD 1.5.2
• NetBSD NetBSD 1.5.3
• NetBSD NetBSD 1.6 beta
• NetBSD NetBSD CURRENT
• Novell SuSE Linux Enterprise Server
• OpenAFS OpenAFS 1.0 - 1.2.5
• OpenAFS OpenAFS 1.3.0 - 1.3.2
• RedHat Enterprise Linux 2.1 AS
• RedHat Linux 6.2
• RedHat Linux 7
• RedHat Linux 7.1
• RedHat Linux 7.1 for iSeries
• RedHat Linux 7.1 for pSeries
• RedHat Linux 7.2
• RedHat Linux 7.3
• SCO Caldera OpenLinux Server 3.1
• SCO Caldera OpenLinux Server 3.1.1
• SCO Caldera OpenLinux Workstation 3.1
• SCO Caldera OpenLinux Workstation 3.1.1
• Sun Solaris 2.5.1
• Sun Solaris 2.6
• Sun Solaris 7.0
• Sun Solaris 8
• Sun Solaris 9
• SuSE SuSE eMail Server III
• SUSE SuSE Linux 7.0
• SUSE SuSE Linux 7.1
• SUSE SuSE Linux 7.2
• SUSE SuSE Linux 7.3
• SUSE SuSE Linux 8.0
• SuSE SuSE Linux Connectivity Server
• SuSE SuSE Linux Database Server
• SuSE SuSE Linux Firewall
• SuSE SuSE Linux Office Server

Reported:

Jul 31, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page