Calendar Manager Service Buffer Overflow Vulnerability
Privacy and Legal Notice
INFORMATION BULLETIN
J-051: Calendar Manager Service Buffer Overflow Vulnerability
July 16, 1999 23:00 GMT, Last updated on Sept. 23, 1999 23:00 GMT
PROBLEM: A buffer overflow vulnerability has been discovered in the
Calendar Manager Service daemon, rpc.cmsd.
PLATFORM: HP-9000 Series 700/800 HP-UX releases 10.2x, 10.30, 11.00.
SCO UnixWare 7 is potentially vulnerable.
Sun Microsystems:
SunOS 5.7, 5.7_x86, 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5,
5.5_86, 5.4, 5.3, 4.1.4, 4.1.3_U1.
CDE 1.3, 1.3_86, 1.2, 1.2_86, 1.0.2, 1.0.1.
Tru64 UNIX V4.0D, V4.0E and V4.0F.
DAMAGE: If exploited, an attacker may gain root access.
SOLUTION: Disable the rpc.cmsd daemon or apply available patches.
VULNERABILITY Risk is high. This vulnerability is being actively exploited.
ASSESSMENT: Patch your systems as soon as possible.
[ Update on Sept. 23, 1999 with additional patch information from Hewlett-
Packard. ]
[ Update on August 26, 1999 with additional patch information from Sun
Microsystems. ]
[ Update on August 19, 1999 with additional patch information from Compaq
Computer Corporation. ]
[ Start CERT Advisory ]
CERT Advisory CA-99-08-cmsd
Originally released: July 16, 1999
Source: CERT/CC
Systems Affected
* Systems running the Calendar Manager Service daemon, often named
rpc.cmsd
I. Description
A buffer overflow vulnerability has been discovered in the Calendar
Manager Service daemon, rpc.cmsd. The rpc.cmsd daemon is frequently
distributed with the Common Desktop Environment (CDE) and Open
Windows.
II. Impact
Remote and local users can execute arbitrary code with the privileges
of the rpc.cmsd daemon, typically root. Under some configurations
rpc.cmsd runs with an effective userid of daemon, while retaining root
privileges.
This vulnerability is being exploited in a significant number of
incidents reported to the CERT/CC. An exploit script was posted to
BUGTRAQ.
III. Solution
Install a patch from your vendor
Appendix A contains information provided by vendors for this advisory.
We will update the appendix as we receive more information. If you do
not see your vendor's name, the CERT/CC did not hear from that vendor.
Please contact your vendor directly.
We will update this advisory as more information becomes available.
Please check the CERT/CC Web site for the most current revision.
Disable the rpc.cmsd daemon
If you are unable to apply patches to correct this vulnerability, you
may wish to disable the rpc.cmsd daemon. If you disable rpc.cmsd, it
may affect your ability to manage calendars.
Appendix A: Vendor Information
Hewlett-Packard Company
HP is vulnerable, patches in process.
IBM Corporation
AIX is not vulnerable to the rpc.cmsd remote buffer overflow.
IBM and AIX are registered trademarks of International Business
Machines Corporation.
Santa Cruz Operation, Inc.
SCO is investigating this problem. The following SCO product contains
CDE and is potentially vulnerable:
+ SCO UnixWare 7
The following SCO products do not contain CDE, and are
therefore believed not to be vulnerable:
+ SCO UnixWare 2.1
+ SCO OpenServer 5
+ SCO Open Server 3.0
+ SCO CMW+
SCO will provide further information and patches if necessary
as soon as possible at http://www.sco.com/security.
Silicon Graphics, Inc.
IRIX does not have dtcm or rpc.cmsd and therefore is NOT vulnerable.
UNICOS does not have dtcm or rpc.cmsd and therefore is NOT
vulnerable.
Sun Microsystems, Inc.
The following patches are available:
OpenWindows:
SunOS version Patch ID
_____________ _________
SunOS 5.5.1 104976-04
SunOS 5.5.1_x86 105124-03
SunOS 5.5 103251-09
SunOS 5.5_x86 103273-07
SunOS 5.3 101513-14
SunOS 4.1.4 100523-25
SunOS 4.1.3_U1 100523-25
CDE:
CDE version Patch ID
___________ ________
1.3 107022-03
1.3_x86 107023-03
1.2 105566-07
1.2_x86 105567-08
Patches for SunOS 5.4 and CDE 1.0.2 and 1.0.1 will be available
within a week of the release of this advisory.
Sun security patches are available at:
http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-li
cense&nav=pubpatches
______________________________________________________________________________
The CERT Coordination Center would like to thank Chok Poh of Sun
Microsystems, David Brumley of Stanford University, and Elias Levy of
Security Focus for their assistance in preparing this advisory.
______________________________________________________________________________
[ End CERT Advisory ]
[ Start Compaq Update ]
UPDATE: AUG. 11, 1999
TITLE: Potential Security Problem when using rpc.cmsd
(calendar manager). x-ref: CERT Advisory CA-99-08
SOURCE: Compaq Computer Corporation
Software Security Response Team
"Compaq is broadly distributing this Security Advisory in order
to bring to the attention of users of Compaq products the
important security information contained in this Advisory.
Compaq recommends that all users determine the applicability of
this information to their individual situations and take
appropriate action.
Compaq does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently,
Compaq will not be responsible for any damages resulting from
user's use or disregard of the information provided in this
Advisory."
-----------------------------------------------------------------------
IMPACT:
This fix was implemented in response to the recent posting of
the CERT CA-99-08-cmsd advisory.
-----------------------------------------------------------------------
RESOLUTION:
This potential security problem has been resolved and a
patch for this problem has been made available for
Tru64 UNIX V4.0D, V4.0E and V4.0F.
This patch can be installed on:
V4.0D Patch kit BL11 or BL12.
V4.0E Patch kit BL1 or BL12.
V4.0F Patch kit BL1.
*This solution will be included in a future distributed release of
Compaq's DIGITAL UNIX.
This patch may be obtained from the World Wide Web at the
following FTP address:
http://www.service.digital.com/patches
Patch file name: SSRT0614U_rpc_cmsd.tar.Z
Use the FTP access option, select DIGITAL_UNIX directory
then choose the appropriate version directory and
download the patch accordingly.
NOTE: There is a README file included with this patch, which
contains installation instructions.
Additional Considerations:
If you need further information, please contact your normal
Compaq Services support channel.
Compaq appreciates your cooperation and patience. We regret any
inconvenience applying this information may cause.
As always, Compaq urges you to periodically review your system
management and security procedures.
Compaq will continue to review and enhance the security
features of its products and work with customers to maintain and
improve the security and integrity of their systems.
____________________________________________________________
Copyright (c) Compaq Computer Corporation, 1999 All
Rights Reserved.
Unpublished Rights Reserved Under The Copyright Laws Of
The United States.
___________________________________________________________
[ End Compaq Update ]
[ Start Sun Microsystems Update ]
______________________________________________________________________________
Sun Microsystems, Inc. Security Bulletin
Bulletin Number: #00188
Date: August 25, 1999
Cross-Ref: CERT CA-99-08
Title: rpc.cmsd
______________________________________________________________________________
The information contained in this Security Bulletin is provided "AS IS."
Sun makes no warranties of any kind whatsoever with respect to the information
contained in this Security Bulletin. ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR
IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE
HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.
IN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE,
PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL
OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY
ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN
THIS SECURITY BULLETIN, EVEN IF SUN MICROSYSTEMS, INC. HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES.
If any of the above provisions are held to be in violation of applicable law,
void, or unenforceable in any jurisdiction, then such provisions are waived
to the extent necessary for this disclaimer to be otherwise enforceable in
such jurisdiction.
______________________________________________________________________________
1. Bulletin Topics
Sun announces the release of patches for Solaris(tm) 7, 2.6, 2.5.1,
2.5, 2.4, 2.3 (SunOS(tm) 5.7, 5.6, 5.5.1, 5.5, 5.4, 5.3), SunOS 4.1.4,
and 4.1.3_U1, which relate to a vulnerability involving rpc.cmsd.
Sun recommends that you:
Install the OpenWindows patches listed in section 4 immediately on
systems running SunOS 5.5.1, 5.5, 5.4, 5.3, 4.1.4, and 4.1.3_U1.
Install the Common Desktop Environment (CDE) patches listed in
section 4 immediately on systems running SunOS 5.7 and 5.6.
Install the CDE patches listed in section 4 immediately on systems
running SunOS 5.5.1, 5.5, and 5.4 with CDE 1.0.2 or 1.0.1 installed.
2. Who is Affected
Vulnerable: SunOS 5.7, 5.7_x86, 5.6, 5.6_x86, 5.5.1, 5.5.1_x86,
5.5, 5.5_x86, 5.4, 5.4_x86, 5.3,
4.1.4, and 4.1.3_U1.
Not vulnerable: All other supported versions of SunOS.
3. Understanding the Vulnerability
The rpc.cmsd is a small database manager for appointment and
resource-scheduling data. Its primary client is Calendar Manager
in OpenWindows, and Calendar in CDE. A buffer overflow vulnerability
has been discovered which may be exploited to execute arbitrary
instructions and gain root access.
4. List of Patches
The following patches are available in relation to the above problem.
OpenWindows:
SunOS version Patch ID
_____________ _________
SunOS 5.5.1 104976-04
SunOS 5.5.1_x86 105124-03
SunOS 5.5 103251-09
SunOS 5.5_x86 103273-07
SunOS 5.4 102030-10
SunOS 5.4_x86 102031-08
SunOS 5.3 101513-14
SunOS 4.1.4 100523-25
SunOS 4.1.3_U1 100523-25
CDE:
SunOS versions CDE version Patch ID
______________ ___________ ________
5.7 1.3 107022-04
5.7_x86 1.3_x86 107023-04
5.6 1.2 105566-07
5.6_x86 1.2_x86 105567-08
5.5.1, 5.5, 5.4 1.0.2 103670-07
5.5.1_x86, 5.5_x86, 5.4_x86 1.0.2_x86 103717-08
5.5, 5.4 1.0.1 103671-07
5.5_x86, 5.4_x86 1.0.1_x86 103718-08
______________________________________________________________________________
APPENDICES
A. Patches listed in this bulletin are available to all Sun customers at:
http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-
license&nav=pub-patches
B. Checksums for the patches listed in this bulletin are available at:
ftp://sunsolve.sun.com/pub/patches/CHECKSUMS
C. Sun security bulletins are available at:
http://sunsolve.sun.com/pub-cgi/secBulletin.pl
D. Sun Security Coordination Team's PGP key is available at:
http://sunsolve.sun.com/pgpkey.txt
E. To report or inquire about a security problem with Sun software, contact
one or more of the following:
- Your local Sun Solution Center
- Your representative computer security response team, such as CERT
- Sun Security Coordination Team. Send email to:
security-alert@sun.com
F. To receive information or subscribe to our CWS (Customer Warning System)
mailing list, send email to:
security-alert@sun.com
with a subject line (not body) containing one of the following commands:
Command Information Returned/Action Taken
_______ _________________________________
help An explanation of how to get information
key Sun Security Coordination Team's PGP key
list A list of current security topics
query [topic] The email is treated as an inquiry and is forwarded to
the Security Coordination Team
report [topic] The email is treated as a security report and is
forwarded to the Security Coordination Team. Please
encrypt sensitive mail using Sun Security Coordination
Team's PGP key
send topic A short status summary or bulletin. For example, to
retrieve a Security Bulletin #00138, supply the
following in the subject line (not body):
send #138
subscribe Sender is added to our mailing list. To subscribe,
supply the following in the subject line (not body):
subscribe cws your-email-address
Note that your-email-address should be substituted
by your email address.
unsubscribe Sender is removed from the CWS mailing list.
______________________________________________________________________________
Copyright 1999 Sun Microsystems, Inc. All rights reserved. Sun,
Sun Microsystems, Solaris and SunOS are trademarks or registered trademarks
of Sun Microsystems, Inc. in the United States and other countries. This
Security Bulletin may be reproduced and distributed, provided that this
Security Bulletin is not modified in any way and is attributed to
Sun Microsystems, Inc. and provided that such reproduction and distribution
is performed for non-commercial purposes.
[ End Sun Microsystems Update ]
[ Start Hewlett-Packard Bulletin ]
Digest Name: Daily Security Bulletins Digest
Created: Thu Sep 9 3:00:02 PDT 1999
Table of Contents:
Document ID Title
--------------- -----------
HPSBUX9908-102 Security Vulnerability in rpc.cmsd
The documents are listed below.
-------------------------------------------------------------------------------
Document ID: HPSBUX9908-102
Date Loaded: 19990908
Title: Security Vulnerability in rpc.cmsd
-------------------------------------------------------------------------
**REVISED 01** HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00102, 30 Aug 1999
Last Revised: 08 Sept 1999
-------------------------------------------------------------------------
The information in the following Security Bulletin should be acted upon
as soon as possible. Hewlett-Packard Company will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.
-------------------------------------------------------------------------
PROBLEM: Buffer overflow vulnerability in the CDE Calendar Manager
Service Daemon, rpc.cmsd.
PLATFORM: HP-9000 Series 700/800 HP-UX releases 10.2X, 10.30, 11.00.
DAMAGE: Allows remote and local users to execute arbitrary code with
root privileges.
SOLUTION: **REVISED 01**
Install the applicable patch.
AVAILABILITY: The patches are available now.
CHANGE SUMMARY: This revision affects only HP-UX 10.24 (VVOS).
-------------------------------------------------------------------------
I.
A. Background
This problem has been reported in CERT Advisory CA-99-08.
B. Fixing the problem - Install the applicable patch:
For HP-UX release 10.20 PHSS_19482;
------>>>> For HP-UX release 10.24 PHSS_19702;
For HP-UX release 11.00 PHSS_19483.
There are significant patch dependencies for these patches.
Note: HP-UX release 10.30 was a development release prior to
the availability of HP-UX release 11.00. HP-UX release
10.30 will not be patched.
C. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP Electronic Support Center via electronic
mail, do the following:
Use your browser to get to the HP Electronic Support Center page
at:
http://us-support.external.hp.com
(for US, Canada, Asia-Pacific, & Latin-America)
http://europe-support.external.hp.com (for Europe)
Login with your user ID and password (or register for one).
Remember to save the User ID assigned to you, and your password.
Once you are in the Main Menu:
To -subscribe- to future HP Security Bulletins,
click on "Support Information Digests".
To -review- bulletins already released from the main Menu,
click on the "Search Technical Knowledge Database."
Near the bottom of the next page, click on "Browse the HP
Security Bulletin Archive".
Once in the archive there is another link to our current Security
Patch Matrix. Updated daily, this matrix categorizes security
patches by platform/OS release, and by bulletin topic.
The security patch matrix is also available via anonymous ftp:
us-ffs.external.hp.com
~ftp/export/patches/hp-ux_patch_matrix
D. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the security-alert
PGP key, available from your local key server, or by sending a
message with a -subject- (not body) of 'get key' (no quotes) to
security-alert@hp.com.
Permission is granted for copying and circulating this Bulletin to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the Bulletin
is not edited or changed in any way, is attributed to HP, and
provided such reproduction and/or distribution is performed for
non-commercial purposes.
Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.
________________________________________________________________________
-----End of Document ID: HPSBUX9908-102--------------------------------------
[ End Hewlett-Packard Bulletin ]
CIAC wishes to acknowledge CERT, Compaq Computer Corp., Sun Microsystems,
and Hewlett-Packard for the information contained in this bulletin.
DOE-CIRC can be contacted at:
Voice: +1 866-941-2472 (7 x 24)
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov/