From ciac@rumpole.llnl.gov Sat Jul 17 19:17:43 1999 From: CIAC Mail User To: ciac-bulletin@rumpole.llnl.gov Date: Fri, 16 Jul 1999 15:01:01 -0700 (PDT) Subject: CIAC Bulletin J-051: Calendar Manager Service Buffer Overflow Vulnerability [ For Public Release ] -----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Calendar Manager Service Buffer Overflow Vulnerability July 16, 1999 17:00 GMT Number J-051 ______________________________________________________________________________ PROBLEM: A buffer overflow vulnerability has been discovered in the Calendar Manager Service daemon, rpc.cmsd. PLATFORM: HP is vulnerable, patches are in process. SCO UnixWare 7 is potentially vulnerable. Sun Microsystems: SunOS 5.5.1, 5.5.1_x86, 5.5, 5.5_86, 5.4, 5.3, 4.1.4, 4.1.3_U1. CDE 1.3, 1.3_86, 1.2, 1.2_86, 1.0.2, 1.0.1. DAMAGE: If exploited, an attacker may gain root access. SOLUTION: Disable the rpc.cmsd daemon or apply available patches. ______________________________________________________________________________ VULNERABILITY Risk is high. This vulnerability is being actively exploited. ASSESSMENT: Patch your systems as soon as possible. ______________________________________________________________________________ [ Start CERT Advisory ] CERT Advisory CA-99-08-cmsd Originally released: July 16, 1999 Source: CERT/CC Systems Affected * Systems running the Calendar Manager Service daemon, often named rpc.cmsd I. Description A buffer overflow vulnerability has been discovered in the Calendar Manager Service daemon, rpc.cmsd. The rpc.cmsd daemon is frequently distributed with the Common Desktop Environment (CDE) and Open Windows. II. Impact Remote and local users can execute arbitrary code with the privileges of the rpc.cmsd daemon, typically root. Under some configurations rpc.cmsd runs with an effective userid of daemon, while retaining root privileges. This vulnerability is being exploited in a significant number of incidents reported to the CERT/CC. An exploit script was posted to BUGTRAQ. III. Solution Install a patch from your vendor Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. We will update this advisory as more information becomes available. Please check the CERT/CC Web site for the most current revision. Disable the rpc.cmsd daemon If you are unable to apply patches to correct this vulnerability, you may wish to disable the rpc.cmsd daemon. If you disable rpc.cmsd, it may affect your ability to manage calendars. Appendix A: Vendor Information Hewlett-Packard Company HP is vulnerable, patches in process. IBM Corporation AIX is not vulnerable to the rpc.cmsd remote buffer overflow. IBM and AIX are registered trademarks of International Business Machines Corporation. Santa Cruz Operation, Inc. SCO is investigating this problem. The following SCO product contains CDE and is potentially vulnerable: + SCO UnixWare 7 The following SCO products do not contain CDE, and are therefore believed not to be vulnerable: + SCO UnixWare 2.1 + SCO OpenServer 5 + SCO Open Server 3.0 + SCO CMW+ SCO will provide further information and patches if necessary as soon as possible at http://www.sco.com/security. Silicon Graphics, Inc. IRIX does not have dtcm or rpc.cmsd and therefore is NOT vulnerable. UNICOS does not have dtcm or rpc.cmsd and therefore is NOT vulnerable. Sun Microsystems, Inc. The following patches are available: OpenWindows: SunOS version Patch ID _____________ _________ SunOS 5.5.1 104976-04 SunOS 5.5.1_x86 105124-03 SunOS 5.5 103251-09 SunOS 5.5_x86 103273-07 SunOS 5.3 101513-14 SunOS 4.1.4 100523-25 SunOS 4.1.3_U1 100523-25 CDE: CDE version Patch ID ___________ ________ 1.3 107022-03 1.3_x86 107023-03 1.2 105566-07 1.2_x86 105567-08 Patches for SunOS 5.4 and CDE 1.0.2 and 1.0.1 will be available within a week of the release of this advisory. Sun security patches are available at: http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-li cense&nav=pubpatches ______________________________________________________________________________ The CERT Coordination Center would like to thank Chok Poh of Sun Microsystems, David Brumley of Stanford University, and Elias Levy of Security Focus for their assistance in preparing this advisory. ______________________________________________________________________________ [ End CERT Advisory ] ______________________________________________________________________________ CIAC wishes to acknowledge CERT for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), use one of the following methods to contact CIAC: 1. Call the CIAC voice number 925-422-8193 and leave a message, or 2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or 3. Send e-mail to 4498369@skytel.com, or 4. Call 800-201-9288 for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 3. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov: subscribe list-name e.g., subscribe ciac-bulletin You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) J-041: Cisco IOS(R) Software Input Access List Leakage with NAT J-042: Web Security J-043: Creating/Installing Warning Banners J-044: Tru64/Digital UNIX (dtlogin) Security Vulnerability J-045: Vulnerability in statd exposes vulnerability in automountd J-046: HP-UX VVOS NES Vulnerability J-047: The ExploreZip Worm J-048: Malformed HTR Request Vulnerability J-049: Windows NT, Two Denial-of-Service Vulnerabilities J-050: HP-UX Visualize Conference Vulnerability -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBN4+hpLnzJzdsy3QZAQG/sAQApxGgKoSBUifv5mXUShnCWVaQOK/VLvo3 QzlE9bOOBvsoQntQBCk+lHQDgit4kmn/jevl+uKZIO6MyXtJOwYYywG9knBIh1n+ d57UFl+CIKIqDtJWAkqUprptbZOjPez3JHBoXd+yzX28hPJIBz0z3qwvrA2uPUfM 8BhIT6KRvdA= =DUd1 -----END PGP SIGNATURE-----