Apo CERT gia REDHAT...

Emmanuel.V.Koveos emankov at dolnet.gr
Wed Oct 14 14:24:05 EEST 1998


Gia sas kai mprabo gia thn douleia poy kanete...Synexiste akathektoi
Einai to proto e-mail poy stelno sthn lista...mallon den einai
eyxaristo..




Subject:
            CERT Advisory CA-98.12 - mountd
       Date:
            12 Oct 1998 21:54:03 GMT
       From:
            CERT Advisory <cert-advisory at cert.org>
    Reply-To:
            cert-advisory-request at cert.org
 Organization:
            CERT(sm) Coordination Center - +1 412-268-7090
  Newsgroups:
            comp.security.announce




-----BEGIN PGP SIGNED MESSAGE-----

==========================================================================

CERT* Advisory CA-98.12
Original issue date: October 12, 1998

A complete revision history is at the end of this file.


Topic: Remotely Exploitable Buffer Overflow Vulnerability in mountd
-
------------------------------------------------------------------------

Affected systems:

NFS servers running certain implementations of mountd, primarily Linux
systems. On some systems, the vulnerable NFS server is enabled by
default.
This vulnerability can be exploited even if the NFS server does not
share
any file systems.

See Appendix A for information from vendors. If your vendor's name does
not
appear, we did not hear from that vendor.


Overview:

NFS is a distributed file system in which clients make use of file
systems
provided by servers. There is a vulnerability in some implementations of

the software that NFS servers use to log requests to use file systems.

When a client makes a request to use a file system and subsequently
makes
that file system available as a local resource, the client is said to
"mount" the file system. The vulnerability lies in the software on the
NFS
server that handles requests to mount file systems. This software is
usually called "mountd" or "rpc.mountd."

Intruders who exploit the vulnerability are able to gain administrative
access to the vulnerable NFS file server. That is, they can do anything
the
system administrator can do. This vulnerability can be exploited
remotely
and does not require an account on the target machine.

On some vulnerable systems, the mountd software is installed and enabled
by
default. See Appendix A for more information.

We will update this advisory as we receive additional information.
Please
check our advisory files regularly for updates that relate to your site.

-
------------------------------------------------------------------------

I. Description

NFS is used to share files among different computers over the network
using
a client/server paradigm. When an NFS client computer wishes to access
files on an NFS server, the client must first make a request to mount
the
file system. There is a vulnerability in some implementations of the
software that handles NFS mount requests (the mountd program).
Specifically, it is possible for an intruder to overflow a buffer in the

area of code responsible for logging NFS activity.

We have received reports indicating that intruders are actively using
this
vulnerability to compromise systems and are engaging in large-scale
scans
to locate vulnerable systems.

On some systems, the vulnerable NFS server is enabled by default. See
the
vendor information in Appendix A.

II. Impact

After causing a buffer overflow, a remote intruder can use the resulting

condition to execute arbitrary code with root privileges.

III. Solution

A. Install a patch from your vendor.

Appendix A contains input from vendors who have provided information for

this advisory. We will update the appendix as we receive more
information.
If you do not see your vendor's name, the CERT/CC did not hear from that

vendor. Please contact your vendor directly.

B. Until you install a patch, use the following workaround.

Consider disabling NFS until you are able to install the patch. In
particular, since some systems have vulnerable versions of mountd
installed
and enabled by default, we recommend you disable mountd on those systems

unless you are actively using those systems as NFS servers.

-
------------------------------------------------------------------------

Appendix A - Vendor Information

Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional
information. If you do not see your vendor's name, the CERT/CC did not
hear from that vendor. Please contact the vendor directly.


Caldera
=======

Caldera provided a fixed version as nfs-server-2.2beta35-2 on Aug 28. It
is
available from

ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/013

10fdb82ed8fd1b88c73fd962d8980bb4 RPMS/nfs-server-2.2beta35-2.i386.rpm
59e275b1ed6b98a39a38406f0415a226
RPMS/nfs-server-clients-2.2beta35-2.i386.rpm
6b075faf1d424e099c6932d95e76fd6b SRPMS/nfs-server-2.2beta35-2.src.rpm


Compaq Computer Corporation
===========================

SOURCE: (c) Copyright 1994, 1995, 1996, 1997, 1998 Compaq Computer
Corporation. All rights reserved.
SOURCE: Compaq Computer Corporation Compaq Services Software Security
Response Team USA
x-ref: SSRT0574U mountd

This reported problem is not present for the as shipped, Compaq's
Digital
ULTRIX or Compaq's Digital UNIX Operating Systems Software.

- - Compaq Computer Corporation


Data General Corporation
========================

We are investigating. We will provide an update when our investigation
is
complete.


FreeBSD, Inc.
=============

FreeBSD 2.2.6 and above seem not be vulnerable to this exploit.


Fujitsu Limited
===============

Fujitsu's UXP/V operating system is not vulnerable.


Hewlett-Packard Company
=======================

Not vulnerable.


NCR
===

NCR is not vulnerable. We do not do any of the specified logging, nor do
we
have mountd (or normally anything else) hanging on port 635.


The NetBSD Project
==================

NetBSD is not vulnerable to this attack in any configuration. Neither
the
NFS server or mount daemon are enabled by default.


The OpenBSD Project
===================

OpenBSD is not affected.


Red Hat Software, Inc.
======================

All versions of Red Hat Linux are vulnerable, and we have provided fixed

packages for all our users. Updated nfs-server packages are available
from
our site at http://www.redhat.com/support/docs/errata.html


The Santa Cruz Operation, Inc.
==============================

No SCO platforms are vulnerable.


Sun Microsystems, Inc.
======================

Sun's mountd is not affected.

-
------------------------------------------------------------------------

Contributors

Our thanks to Olaf Kirch and Wolfgang Ley for their input and assistance
in
constructing this advisory.

-
------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (see http://www.first.org/team-info/).


CERT/CC Contact Information
- ---------------------------
Email cert at cert.org

Phone +1 412-268-7090 (24-hour hotline)

CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4) and are on
call for emergencies during other hours.

Fax +1 412-268-6989

Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA

Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
We can
   support a shared DES key or PGP. Contact the CERT/CC for more
information.

   Location of CERT PGP key

        ftp://ftp.cert.org/pub/CERT_PGP.key

Getting security information

   CERT publications and other security information are available from

        http://www.cert.org/
        ftp://ftp.cert.org/pub/

   To be added to our mailing list for advisories and bulletins, send
email to

        cert-advisory-request at cert.org

   In the subject line, type

        SUBSCRIBE your-email-address

-
-----------------------------------------------------------------------
Copyright 1998 Carnegie Mellon University. Conditions for use,
disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and
ftp://ftp.cert.org/pub/legal_stuff. If you do not have FTP or web
access,
send mail to cert at cert.org with "copyright" in the subject line.

* CERT is registered in the U.S. Patent and Trademark Office

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie Mellon
University makes no warranties of any kind, either expressed or implied
as
to any matter including, but not limited to, warranty of fitness for a
particular purpose or merchantability, exclusivity or results obtained
from
use of the material. Carnegie Mellon University does not make any
warranty
of any kind with respect to freedom from patent, trademark, or copyright

infringement.

-
------------------------------------------------------------------------

This file is at: ftp://ftp.cert.org/pub/cert_advisories/CA-98.12.mountd

Also posted on the USENET newsgroup comp.security.announce

-
------------------------------------------------------------------------

Revision History

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNiJtPXVP+x0t4w7BAQHGsgQAjXSJok3AtIK0rlsK9JClEfr4G+xCed4U
QzBSl9CMw0kGpoEInyKdyog03u60B2B8jBwaDesRDLX47eO5YAxngEVBeQTy3lVi
tIbbjTQwhWXK9nYS3+qSNdBohFqxnL5neXwJbwDsytTfI0qY17xMdm9aIIf61bD0
RbybGlYldr0=
=eLqH
-----END PGP SIGNATURE-----



--
====================================================================
Gia boithia (h na diagrafhte) e-mail sto majordomo at argos.hol.gr
Ta archives tis listas einai sto http://www.argos.hol.gr/lists :
prin steilete kapoia erothsh psakte mipos exei hdh apanththei.
Gia opoiodipote problima stilte e-mail ston owner-linux-greek-users
====================================================================



More information about the Linux-greek-users mailing list