From owner-csa@sprocket.nosc.MIL Sat Feb 27 14:42:57 1999 From: owner-csa@sprocket.nosc.MIL To: CSA-List@sprocket.nosc.MIL Date: Thu, 28 Jan 1999 08:00:58 -0500 Subject: IAVA 1999-0001 Mountd Remote Buffer Overflow Vulnerability Automated Systems Security Incident Support Team (ASSIST) Advisory 1999-0001 Release date: 8 Jan 1999 TOPIC: Mountd Remote Buffer Overflow Vulnerability PLATFORM: NFS servers running certain implementations of mountd, primarily Linux systems. On some systems, the vulnerable NFS server is enabled by default. This vulnerability can be exploited even if the NFS server does not share any file systems. IMPACT: Intruders who exploit the vulnerability are able to gain administrative access to the vulnerable NFS file server. That is, they can do anything the system administrator can do. This vulner- ability can be exploited remotely and does not require an account on the target machine. SOLUTION: Install the appropriate patch from your vendor. Alternatives to patches are also listed in the attached bulletin. ASSIST has/has not tested and verifies that the Internet Security System (ISS) assessment tool checks for this vulnerability and can be used to verify compliance with this bulletin. However, this does not imply that other methods or tools could not be used to conduct these same tests. There are a number of existing system administration procedures and utilities that can be used to verify if the system is vulnerable to this type of attack. System and network administrators must ensure that the identified changes are implemented correctly and update configuration management documents to reflect the appropriate changes. =======================FORWARDED TEXT STARTS HERE============================ CERT* Advisory CA-98.12 Original issue date: October 12, 1998 Last Revised: November 9, 1998 Added vendor information for IBM Corporation and Silicon Graphics Inc. Updated information for Data General A complete revision history is at the end of this file. Topic: Remotely Exploitable Buffer Overflow Vulnerability in mountd Affected systems: NFS servers running certain implementations of mountd, primarily Linux systems. On some systems, the vulnerable NFS server is enabled by default. This vulner- ability can be exploited even if the NFS server does not share any file systems. See Appendix A for information from vendors. If your vendor's name does not appear, we did not hear from that vendor. Overview: NFS is a distributed file system in which clients make use of file systems provided by servers. There is a vulnerability in some implementations of the software that NFS servers use to log requests to use file systems. When a client makes a request to use a file system and subsequently makes that file system available as a local resource, the client is said to "mount" the file system. The vulnerability lies in the software on the NFS server that handles requests to mount file systems. This software is usually called "mountd" or "rpc.mountd." Intruders who exploit the vulnerability are able to gain administrative access to the vulnerable NFS file server. That is, they can do anything the system administrator can do. This vulnerability can be exploited remotely and does not require an account on the target machine. On some vulnerable systems, the mountd software is installed and enabled by default. See Appendix A for more information. We will update this advisory as we receive additional information. Please check our advisory files regularly for updates that relate to your site. I. Description NFS is used to share files among different computers over the network using a client/server paradigm. When an NFS client computer wishes to access files on an NFS server, the client must first make a request to mount the file system. There is a vulnerability in some implementations of the software that handles NFS mount requests (the mountd program). Specifically, it is possible for an intruder to overflow a buffer in the area of code responsible for logging NFS activity. We have received reports indicating that intruders are actively using this vulnerability to compromise systems and are engaging in large-scale scans to locate vulnerable systems. On some systems, the vulnerable NFS server is enabled by default. See the vendor information in Appendix A. II. Impact After causing a buffer overflow, a remote intruder can use the resulting condition to execute arbitrary code with root privileges. III. Solution A. Install a patch from your vendor. Appendix A contains input from vendors who have provided information for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. B. Until you install a patch, use the following workaround. Consider disabling NFS until you are able to install the patch. In particular, since some systems have vulnerable versions of mountd installed and enabled by default, we recommend you disable mountd on those systems unless you are actively using those systems as NFS servers. Appendix A - Vendor Information Below is a list of the vendors who have provided information for this advisory. We will update this appendix as we receive additional information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact the vendor directly. Berkeley Software Design, Inc. (BSDI) BSDI systems are not vulnerable to this attack. Caldera Caldera provided a fixed version as nfs-server-2.2beta35-2 on Aug 28. It is available from ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/013 10fdb82ed8fd1b88c73fd962d8980bb4 RPMS/nfs-server-2.2beta35-2.i386.rpm 59e275b1ed6b98a39a38406f0415a226 RPMS/nfs-server-clients-2.2beta35-2.i386.rpm 6b075faf1d424e099c6932d95e76fd6b SRPMS/nfs-server-2.2beta35-2.src.rpm Compaq Computer Corporation SOURCE: (c) Copyright 1994, 1995, 1996, 1997, 1998 Compaq Computer Corporation. All rights reserved. SOURCE: Compaq Computer Corporation Compaq Services Software Security Response Team USA x-ref: SSRT0574U mountd This reported problem is not present for the as shipped, Compaq's Digital ULTRIX or Compaq's Digital UNIX Operating Systems Software. - Compaq Computer Corporation Data General Corporation DG/UX is not vulnerable to this problem. FreeBSD, Inc. FreeBSD 2.2.6 and above seem not be vulnerable to this exploit. Fujitsu Limited Fujitsu's UXP/V operating system is not vulnerable. Hewlett-Packard Company Not vulnerable. IBM Corporation The version of rpc.mountd shipped with AIX is not vulnerable. IBM and AIX are registered trademarks of International Business Machines Corporation. NCR NCR is not vulnerable. We do not do any of the specified logging, nor do we have mountd (or normally anything else) hanging on port 635. The NetBSD Project NetBSD is not vulnerable to this attack in any configuration. Neither the NFS server or mount daemon are enabled by default. The OpenBSD Project OpenBSD is not affected. Red Hat Software, Inc. All versions of Red Hat Linux are vulnerable, and we have provided fixed packages for all our users. Updated nfs-server packages are available from our site at http://www.redhat.com/support/docs/errata.html The Santa Cruz Operation, Inc. No SCO platforms are vulnerable. Silicon Graphics Inc. Please refer to Silicon Graphics Inc. Security Advisory, "mountd Buffer Overflow Vulnerability", Number: 19981006-01-I, distributed October 26, 1998 for additional information about this vulnerability. Silicon Graphics provides a comprehensive customer World Wide Web site. This site is located at http://www.sgi.com/Support/security/security.html Sun Microsystems, Inc. Sun's mountd is not affected. Contributors Our thanks to Olaf Kirch and Wolfgang Ley for their input and assistance in con- structing this advisory. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ASSIST is an element of the Defense Information Systems Agency (DISA), Global Operations and Security Center (GOSC), which provides service to the entire DoD community. Constituents of the DoD with questions about ASSIST or computer security issues, can contact ASSIST using one of the methods listed below. ___________________________ ASSIST CONTACT INFORMATION: NIPRNET E-mail: assist@assist.mil SIPRNET E-mail: assist@assist.disa.smil.mil Phone: (800)-357-4231 (DSN 327-4700) 24 hour hotline Fax: (703) 607-4735 (DSN 327-4735) Unclassified ASSIST Bulletins, tools and other security related information are available from: http://www.assist.mil/ http://www.assist.disa.smil.mil ftp://ftp.assist.mil/ ____ OTHER DoD CERT CONTACT INFORMATION: Air Force CERT Phone: (800) 854-0187 Air Force CERT Email: afcert@afcert.csap.af.mil Navy CIRT Phone: (800) 628-8893 Navy CIRT Email: navcirt@fiwc.navy.mil Army CERT Phone: (888) 203-6332 Army CERT Email: acert@vulcan.belvoir.army.mil Back issues of ASSIST bulletins, and other security related information, through anonymous FTP from ftp.assist.mil (IP address 199.211.123.12). Note: ftp.assist.mil will only accept anonymous FTP connections from NIPRNET addresses that are registered with the NIC or DNS. If your system is not registered, you must provide your NIPRNET IP address to ASSIST before access can be provided. ASSIST uses Pretty Good Privacy (PGP) as the digital signature mechanism for bulletins. PGP incorporates the RSAREF(tm) Cryptographic Toolkit under license from RSA Data Security, Inc. A copy of that license is available via anonymous FTP from net-dist.mit.edu (IP 18.72.0.3) in the file /pub/PGP/rsalicen.txt. In accordance with the terms of that license, PGP may be used for non-commercial purposes only. Instructions for downloading the PGP software can also be obtained from net-dist.mit.edu in the pub/PGP/README file. PGP and RSAREF may be subject to the export control laws of the United States of America as implemented by the United States Department of State Office of Defense Trade Controls. The PGP signature information will be attached to the end of ASSIST bulletins. Reference herein to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by ASSIST. The views and opinions of authors expressed herein shall not be used for advertising or product endorsement purposes.