================================================================================ NileSOFT Security Advisory -------------------------------------------------------------------------------- ID : NILESA-20050101 Title : Denial of Service vulnerability due to the mountd bug Vendor : SCO URL : www.sco.com Product : UnixWare 7.1.4, 7.1.3, 7.1.1, 7.0.1 (and maybe other versions) Severity: Moderate Local : Yes Remote : Yes Date : 11 Jan. 2005 CVE ID : CAN-2004-1039 Author : Yun Jonglim / NileSOFT. Ltd(www.nilesoft.co.kr) ================================================================================ 1. SUMMARY The NFS mountd service for UnixWare OS is generally run by the RC script(/etc/rc3.d/S22nfs) on the NFS server system's boot run-level 3. When the NFS mountd service is run by inetd, if a NFS mount related request is received from the remote (or local) host, inetd will repeatedly create the mountd process and as a result increasingly consume memory. 2. VULNERABILITY DESCRIPTION The UnixWare operating system provides the NFS mountd service by RC script(/etc/rc3.d/S22nfs) by default. However, as shown below, the service is registered in the inetd.conf configuration file so that the inetd daemon can also provide the service. # The mount server is usually started in /etc/rc.local only on machines that # are NFS servers. It can be run by inetd as well. # #mountd/1 dgram rpc/udp wait root /usr/sbin/in.tcpd /usr/lib/nfs/mountd #mountd/1 dgram rpc/udp wait root /usr/lib/nfs/mountd mountd By default, the mountd service registered in inetd.conf is commented out (disabled) but the service can be enabled by removing the corresponding '#' character and restarting inetd.(like below) # The mount server is usually started in /etc/rc.local only on machines that # are NFS servers. It can be run by inetd as well. # mountd/1 dgram rpc/udp wait root /usr/sbin/in.tcpd /usr/lib/nfs/mountd #mountd/1 dgram rpc/udp wait root /usr/lib/nfs/mountd mountd Like this, when the NFS mountd service is configured to be run by inetd, the mountd process is run when the NFS mount service related request is received from the remote (or local) host as shown below. showmount -e However, inetd does not created just one instance of the mountd process for the request but repeatedly creates the process. This would cause the use of the system memory to increase by time. The same problem occurs regardless of which line or lines the # character is removed. This problem has been identified for UnixWare versions 7.1.4 ~ 7.0.1 and other versions may also have this problem. 3. IMPACT Due to the increase of the number of mountd processes, the system's memory would become exhausted therefore resulting in system crash down. 4. REMEDY Installation of the fixed binary packages will address this vulnerability. Packages can be downloaded from below ftp site. ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.1 SCO had released Security Advisory SCOSA-2005.1. http://www.sco.com/support/security/index.html 5. DISCLOSURE TIMELINE 2004/10/22 Vulnerability found and analysis 2004/11/08 CVE notified and candidate number reservation request 2004/11/16 CVE candidate reserved 2004/11/16 Vender notified and initial response 2005/01/07 Vender Confirmed and patch prepared 2005/01/11 Advisory released 6. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2004-1039 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.