III. Solution
Apply a patch
Appendix A contains information provided by
vendors for this advisory.
If a patch is not available, disable the rwall daemon (rpc.rwalld) in
inetd.conf until a patch can be applied.
If disabling the rwall daemon is not an option, implement a firewall to
limit access to rpc.rwalld (typically port 32777/UDP). Note that this will
not mitigate all vectors of attack.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If a
particular vendor is not listed below, please check the Vulnerability Note
(VU#638099) or contact your vendor directly.
Mac OS X does not contain rwall, and is not susceptible to the
vulnerability described.
BSD/OS does not include an affected daemon in any version.
Compaq Tru64 is NOT vulnerable to this reported problem.
Cray, Inc. is not vulnerable since the affected code is not included in
the rwalld implementation used in Unicos and Unicos/mk.
FreeBSD is not vulnerable to this problem.
HP is not vulnerable.
IBM's AIX operating system, versions 4.3.x and 5.1L, is not susceptible
to the vulnerability described.
sent on May 15, 2002
[Server Products]
EWS/UP 48 Series
- is NOT vulnerable.
NetBSD has never been vulnerable to this problem.
Sun confirms that there is a format string vulnerability in
rpc.rwalld(1M) which affects Solaris 2.5.1, 2.6, 7 and 8. However, this
issue relies on a combination of events, including the exhaustion of
system resources, which are difficult to control by a remote user in order
to be exploited. Disabling rpc.rwalld(1M) in inetd.conf(4) is the
recommended workaround until patches are available.
Sun is currently generating patches for this issue and will be
releasing a Sun Security Bulletin once the patches are available. The
bulletin will be available from:
http://sunsolve.sun.com/security
Sun patches are available from:
http://sunsolve.sun.com/securitypatch
The CERT Coordination Center acknowledges "GOBBLES" as the
discoverer of this vulnerability and thanks Sun Microsystems for
their technical information.
Feedback can be directed to the author: Jason
A. Rafail
This document is available from:
http://www.cert.org/advisories/CA-2002-10.html
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
-
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
NO WARRANTY
Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of any
kind with respect to freedom from patent, trademark, or copyright
infringement.
