CERT^® Advisory CA-2002-11 Heap Overflow in Cachefs Daemon (cachefsd)

A complete revision history can be found at the end of this file.

Systems Affected

Sun's NFS/RPC file system cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). A remotely exploitable vulnerability exists in cachefsd that could permit a remote attacker to execute arbitrary code with the privileges of the cachefsd, typically root. The CERT/CC has received credible reports of scanning and exploitation of Solaris systems running cachefsd.

I. Description

May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
May 16 22:46:21 victim-host last message repeated 7 times
May 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped
May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
May 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped
May 16 22:46:59 victim-host last message repeated 1 time
May 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
May 16 22:47:07 victim-host last message repeated 3 times
May 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup
May 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped

Sun Microsystems has released a Sun Alert Notification which addresses this issue as well as the issue described in VU#161931.

According to the Sun Alert Notification, failed attempts to exploit this vulnerability may leave a core dump file in the root directory. The presence of the core file does not preclude the success of subsequent attacks. Additionally, if the file /etc/cachefstab exists, it may contain unusual entries.

This issue is also being referenced as CAN-2002-0033:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033

A remote attacker may be able to execute code with the privileges of the cachefsd process, typically root.

III. Solution

Appendix A contains information provided by vendors for this advisory.

If a patch is not available, disable cachefsd in inetd.conf until a patch can be applied.

If disabling the cachefsd is not an option, follow the suggested workaround in the Sun Alert Notification.

Appendix A. - Vendor Information

This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, please check the Vulnerability Note (VU#635811) or contact your vendor directly.

Cray, Inc.

Cray, Inc. is not vulnerable since cachefs is not supported under Unicos and Unicos/mk.

Fujitsu

UXP/V is not vulnerable, because it does not have Cachefs and similar functionalities.

Hewlett-Packard

HP-UX is not vulnerable because it does not use cachefsd.

IBM

IBM's AIX operating system, all versions, is not vulnerable.

Nortel Networks

Nortel Networks products and solutions using the affected Sun Solaris operating systems do not utilize the NFS/RPC file system cachefs daemon. Nortel Networks recommends following the mitigating practices in Sun Microsystems Inc.'s Alert Notification.; this will not impact these Nortel Networks products and solutions.

For more information please contact Nortel at:

North America: 1-8004NORTEL or 1-800-466-7835
Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009

Contacts for other regions are available at

www.nortelnetworks.com/help/contact/global/

SGI

SGI does not ship with SUN cachefsd, so IRIX is not vulnerable.

Sun

See the Sun Alert Notification available at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309.

The CERT/CC acknowledges the Last Stage of Delirium Team for discovering and reporting on this vulnerability and thanks Sun Microsystems for their technical assistance.

Feedback can be directed to the authors: Jason A. Rafail and Jeffrey S. Havrilla

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Copyright 2002 Carnegie Mellon University.

Revision History

May 06, 2002:  Initial release
May 06, 2002:  Corrected CVE number and links
May 07, 2002:  Added Hewlett-Packard vendor statement
May 07, 2002:  Corrected credit statement
May 09, 2002:  Corrected credit statement
May 09, 2002:  Corrected CVE number and links
May 09, 2002:  Removed AusCERT Advisory
May 13, 2002:  Added Cray vendor statement
May 13, 2002:  Added Nortel Networks vendor statement
May 14, 2002:  Added Fujitsu vendor statement