M-111: Integer Overflow in External Data Representation (XDR) Library

REVISION HISTORY:
1/12/04 - Added a link to Hewlett-Packard's HPSBUX0209-215 SSRT2336 (rev. 5) to 
          reflect HP now has patches for B.10.20, B.10.26, B.11.00, B.11.11, B.11.22.
   
[***** Start CERT Advisory CA-2002-25 *****]

CERT Advisory CA-2002-25 Integer Overflow In XDR Library

   Original release date: August 05, 2002
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

   Applications using vulnerable implementations of SunRPC-derived XDR
   libraries, which include, but are not limited to:

Sun Microsystems network services library (libnsl)
BSD-derived libraries with XDR/RPC routines (libc)
GNU C library with sunrpc (glibc)

Overview

   There is an integer overflow present in the xdr_array() function
   distributed as part of the Sun Microsystems XDR library. This overflow
   has been shown to lead to remotely exploitable buffer overflows in
   multiple applications, leading to the execution of arbitrary code.
   Although the library was originally distributed by Sun Microsystems,
   multiple vendors have included the vulnerable code in their own
   implementations.

I. Description

   The XDR (external data representation) libraries are used to provide
   platform-independent methods for sending data from one system process
   to another, typically over a network connection. Such routines are
   commonly used in remote procedure call (RPC) implementations to
   provide transparency to application programmers who need to use common
   interfaces to interact with many different types of systems. The
   xdr_array() function in the XDR library provided by Sun Microsystems
   contains an integer overflow that can lead to improperly sized dynamic
   memory allocation. Subsequent problems like buffer overflows may
   result, depending on how and where the vulnerable xdr_array() function
   is used.

   This issue is currently being tracked as VU#192995 by the CERT/CC and
   CAN-2002-0391 in the Common Vulnerabilities and Exposures (CVE)
   dictionary.

II. Impact

   Because SunRPC-derived XDR libraries are used by a variety of vendors
   in a variety of applications, this defect may lead to a number of
   differing security  problems. Exploiting this vulnerability will lead
   to denial of service, execution of arbitrary code, or the disclosure
   of sensitive information.

   Specific impacts reported include the ability to execute arbitrary
   code with root privileges (by exploiting dmispd, rpc.cmsd, or kadmind,
   for  example).  In addition, intruders who exploit the XDR overflow in
   MIT KRB5 kadmind may be able to gain control of a Key Distribution
   Center (KDC) and improperly authenticate to other services within a
   trusted Kerberos realm.

III. Solution

Apply a patch from your vendor

   Appendix A contains information provided by vendors for this advisory.
   As vendors report new information to the CERT/CC, we will update this
   section and note the changes in our revision history. If a particular
   vendor is not listed below or in the vulnerability note, we have not
   received their comments. Please contact your vendor directly.

   Note that XDR libraries can be used by multiple applications on most
   systems.  It may be necessary to upgrade or apply multiple patches and
   then recompile statically linked applications.

   Applications that are statically linked must be recompiled using
   patched libraries.  Applications that are dynamically linked do not
   need to be recompiled; however, running services need to be restarted
   in order to use the patched libraries.

   System administrators should consider the following process when
   addressing this issue:

    1. Patch or obtain updated XDR/RPC libraries.
    2. Restart any dynamically linked services that make use of the
       XDR/RPC libraries.
    3. Recompile any statically linked applications using the patched or
       updated XDR/RPC libraries.

Disable access to vulnerable services or applications

   Until patches are available and can be applied, you may wish to
   disable access to services or applications compiled with the
   vulnerable xdr_array() function.  Such applications include, but are
   not limited to, the following:

DMI Service Provider daemon (dmispd)
CDE Calendar Manager Service daemon (rpc.cmsd)
MIT Kerberos 5 Administration daemon (kadmind)

   As a best practice, the CERT/CC recommends disabling all services that
   are not explicitly required.

[***** End CERT Advisory CA-2002-25 *****]

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/