Date: 30 March 2001
References: ESB-2001.132 ESB-2001.375
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2001.06 -- AUSCERT ALERT
CERT/CC Vulnerability Note VU#648304
Sun Solaris DMI to SNMP mapper daemon snmpXdmid contains buffer overflow
30 March 2001
===========================================================================
AusCERT Alert Summary
---------------------
Impact: Root Compromise
Access Required: Remote
Summary:
AusCERT is issuing this external security bulletin as an AusCERT Alert to
emphasize the significance of vulnerabilities listed. AusCERT acknowledge
and give credit to CERT/CC for the production of the included Vulnerability
Note, which may be found at the canonical address:
http://www.kb.cert.org/vuls/id/648304
AusCERT has been in contact with Sun Microsystems on this issue and will
provide updates when more information is made available. At this stage
AusCERT advise that site administrators should follow the steps recommended
by CERT/CC in Vulnerability Note VU#648304
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability Note VU#648304
Sun Solaris DMI to SNMP mapper daemon snmpXdmid contains buffer overflow
Overview
There is a buffer overflow in the snmpXdmi daemon, which may allow
intruders to gain root privileges on systems running the vulnerable daemon.
I. Description
The SNMP to DMI mapper daemon (snmpXdmi) translates Simple Network
Management Protocol (SNMP) events to Desktop Management Interface (DMI)
indications and vice-versa. Both protocols serve a similar purpose and
the translation daemon allows users to manage devices using either
protocol. The snmpXdmi daemon registers itself with the snmpdx and dmid
daemons, translating and forwarding requests from one daemon to the other.
The snmpXdmi daemon, which is shipped with Solaris versions 2.6, 7 and 8,
is enabled by default.
The snmpXdmi daemon contains a buffer overflow in the code for translating
DMI indications to SNMP events. This buffer overflow is exploitable by
remote intruders to gain root privileges.
More information about this vulnerability can be found in the advisory
published by Job de Haas of ITSX:
http://www.itsx.com/snmpXdmid.html
II. Impact
A remote intruder who is able to send packets to the snmpXdmi daemon may
be able to gain root privileges on that system.
III. Solution
Apply a Patch
Apply a patch from Sun when it is available.
Disable snmpXdmi
For sites that do not use both SNMP and DMI, the translation daemon may
be disabled eliminating the vulnerability.
Restrict Access to snmpXdmi and other RPC services
For sites that require the functionality of snmpXdmi or other RPC services,
local IP filtering rules that prevent hosts other than localhost from
connecting to the daemon may mitigate the risks associated with running
the daemon. Sun RPC services are advertised on port 111/{tcp,udp}. The
snmpXdmid RPC service id is 100249; use 'rpcinfo -p' to list local site
port bindings:
# rpcinfo -p | grep 100249
100249 1 udp 32785
100249 1 tcp 32786
Note that site-specific port binding will vary.
Systems Affected
Vendor Status Date Updated
Sun Vulnerable 28-Mar-2001
References
http://www.itsx.com/snmpXdmid.html
http://www.securityfocus.com/bid/2417
http://www.securityfocus.com/archive/1/168936
http://www.sun.com/software/entagents/download/
http://www.sun.com/software/entagents/docs/UGhtml/snmp_with_dmi.doc.html
http://www.dmtf.org/spec/spec.html
http://www.dmtf.org/spec/snmp.html
Credit
Thanks to Job de Haas (job@itsx.com) of ITSX BV Amsterdam, The Netherlands
(http://www.itsx.com) for reporting this vulnerability to the CERT/CC.
This document was written by Cory F. Cohen.
Other Information
Date Public 03/15/2001
Date First Published 03/26/2001 09:49:01 AM
Date Last Updated 03/28/2001
CERT Advisory
CVE Name CAN-2001-0236
Metric 14.06
Document Revision 15
If you have feedback, comments, or additional information about this
vulnerability, please send us email.
------------------------------------------------------------------------
Copyright 2000 Carnegie Mellon University
- --------------------------END INCLUDED TEXT--------------------
This alert is provided as a service to AusCERT's members. As AusCERT did
not write the document quoted above, AusCERT has had no control over its
content. The decision to use any or all of this information is the
responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the alert. It may not be
updated when updates to the original are made. If downloading at a later
date, it is recommended that the bulletin is retrieved directly from the
original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the alert above. If you have any questions or need further information,
please contact them directly.
Previous advisories, alerts and external security bulletins can be
retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOsSyPih9+71yA2DNAQEsFwP+KrFbwvLrtTflKX8Akh5csbfRWlASUqSj
b8RDorb9zOtZPrxQE7/R35P/XsxEB+vwT8F2B1a0ZgpRhbZT+8ImkEtj9Qra9QGC
jFdtCDX4LjZ7IHxh4iamYIoU8cf+nhNn8U/IT/8kWIwdby8N6JTspPBDyVLWkGrz
j3zFx8rBKa0=
=934V
-----END PGP SIGNATURE-----
|