Date: 29 April 2002
References: ESB-2002.213 ESB-2002.360
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-2002.01 AUSCERT Advisory
Sun Microsystems cachefsd Buffer Overflow Vulnerability
29 April 2002
Last Revised: --
- ---------------------------------------------------------------------------
AusCERT has received information that a vulnerability exists in the CacheFS
daemon (cachefsd) for Solaris 8, 7, 2.6 and 2.5.1 (SunOS 5.8, 5.7, 5.6
and 5.5.1).
This vulnerability may allow local or remote existing users to gain root
privileges. AusCERT has received reports of this vulnerability being
actively exploited.
AusCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
This advisory will be updated as more information becomes available.
- ---------------------------------------------------------------------------
1. Description
The Cache File System (CacheFS) is a general purpose file system
caching mechanism that improves NFS server performance and scalability
by reducing server and network load. Designed as a layered file system,
CacheFS provides the ability to cache one file system on another. In
an NFS environment, CacheFS increases the client per server ratio,
reduces server and network loads and improves performance for clients
on slow links, such as Point-to-Point Protocol (PPP).
A buffer overflow vulnerability exists in cachefsd which may be
exploited by malicious local or remote existing users to obtain root
access.
Sun Microsystems has provided the following details of vulnerable
versions of SunOS.
Vulnerable versions of SunOS are: 5.8, 5.8_x86,
5.7, 5.7_x86,
5.6, 5.6_x86,
5.5.1 and 5.5.1_x86.
Sites can determine if they are running one of the vulnerable versions
of SunOS by checking the contents of the /etc/release file.
Vendor patches are NOT available - refer to Section 3 for details.
This advisory is being released without containing patch information
as reports indicate that the vulnerability is being actively exploited.
2. Impact
This vulnerability may allow local or remote existing users to gain
root privileges.
3. Solution
Due to the unavailability of official vendor patches, AusCERT
recommends implementing a workaround solution such as blocking RPC
services at your firewall and/or disabling cachefsd.
AusCERT recommends that official vendor patches be installed when they
become available. Sun patches that address this vulnerability will
be made available at:
http://sunsolve.sun.com/securitypatch
Checksums for these patches, when released, will be available at:
ftp://sunsolve.sun.com/pub/patches/CHECKSUMS
4.0 Vendor Information
Sun plan to relase a security bulletin regarding this vulnerability
which should be publicly available at the following URL:
http://sunsolve.sun.com/security
- ---------------------------------------------------------------------------
AusCERT would like to acknowledge the assistance of the Sun Security
Coordination Team as well as Mark Dowd and Stephen James of IT Audit &
Consulting in producing this Advisory.
- ---------------------------------------------------------------------------
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The
appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures. AusCERT takes no responsibility for the consequences of
applying the contents of this document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AusCERT
Advisories, and other computer security information.
AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPM1boCh9+71yA2DNAQEViwP9GrFRJXTW1NQvdChZrCnYVx0LAbnCMSBj
SGCRBi2TH4TKfGFiGtvqaOrZ3fC0HcWlOeSKW1gZNd2g+x5DGX/I+Ju1wZMhEstc
OaZsoRe5pXkVWicZ3Pc56GPkSPjtAWDf377s9di0rMS5MnMuWK/3spF5SjrfwKqq
0tE8L2xbbOc=
=TfxM
-----END PGP SIGNATURE-----
|