************************************************************************** Security Bulletin 9610 DISA Defense Communications System April 25, 1996 Published by: DISN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/sec-yynn.txt (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9944.txt). They are also available on our WWW site at http://nic.ddn.mil. ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= ============================================================================= CERT(sm) Advisory CA-96.09 April 24, 1996 Topic: Vulnerability in rpc.statd ----------------------------------------------------------------------------- The CERT Coordination Center has received reports of a vulnerability in rpc.statd (rpc.statd is also known as statd on some systems). As of the date of this advisory, we have received no reports of this vulnerability being exploited. If exploited, this vulnerability can be used to remove any file that the root user can remove or to create any file that the root user can create. Section III and Appendix A contain information from vendors. Appendix B contains an example of a possible workaround. As we receive additional information relating to this advisory, we will place it in ftp://info.cert.org/pub/cert_advisories/CA-96.09.README We encourage you to check our README files regularly for updates on advisories that relate to your site. ----------------------------------------------------------------------------- I. Description rpc.statd, also called statd, is the NFS file-locking status monitor. It interacts with rpc.lockd, also called lockd, to provide the crash and recovery functions for file locking across NFS. NFS is stateless, which means that NFS clients and servers can be rebooted without a loss of file integrity due to NFS. In contrast, NFS file locking is stateful. To achieve this stateful nature in a stateless environment, rpc.lockd must work with rpc.statd to add state to file locking. To understand what rpc.statd does, it is first necessary to understand what rpc.lockd does. rpc.lockd processes lock requests that are sent either locally by the kernel or remotely by another lock daemon. rpc.lockd forwards lock requests for remote NFS files to the NFS server's lock daemon using Remote Procedure Calls (RPC). rpc.lockd then requests monitoring service from the status monitor daemon, rpc.statd, running on the NFS server. Monitoring services are needed because file locks are maintained in the NFS server kernel. In the event of a system crash or reboot, all NFS locks would normally be lost. It is rpc.statd that adds stateful file locking. When an NFS server reboots, rpc.statd causes the previously held locks to be recovered by notifying the NFS client lock daemons to resubmit previously granted lock requests. If a lock daemon fails to secure a previously granted lock on the NFS server, it sends SIGLOST to the process that originally requested the file lock. The vulnerability in rpc.statd is its lack of validation of the information it receives from what is presumed to be the remote rpc.lockd. Because rpc.statd normally runs as root and because it does not validate this information, rpc.statd can be made to remove or create any file that the root user can remove or create on the NFS server. II. Impact Any file that root could remove can be removed by rpc.statd. Any file that root could create can be created by rpc.statd, albeit with mode 200. III. Solution The general solution to this problem is to replace the rpc.statd daemon with one that validates the information sent to it by the remote rpc.lockd. We recommend that you install a patch from your vendor if possible. If a patch is not available for your system, we recommend contacting your vendor and requesting that a patch be developed as soon as possible. In the meantime, consider whether the information in Appendix B is applicable to your site. Vendor Information ------------------ Below is a summary list of the vendors who have reported to us as of the date of this advisory. Patch information and other details are in Appendix A of this advisory and reproduced in the CA-96.09.README file. We will update the README file as we receive more information. If your vendor's name is not on this list, please contact the vendor directly. Vendor Status ------ ------------ Apple Computer, Inc. vulnerable - A/UX version 3.1.1 and earlier; AIX 4.1.4 for the Apple Network Server Berkeley Software Design, Inc. not vulnerable - BSD/OS Cray Research, Inc. vulnerable - Unicos version 9.0 and higher Data General Corporation vulnerable - DG/UX R4.11 Digital Equipment Corporation vulnerable - UNIX (OSF/1) V3.0 through V3.2d; ULTRIX V4.3 through V4.5 Harris Computer Systems Corp. vulnerable - all versions of NightHawk CX/UX and PowerUX not vulnerable - all versions of NightHawk CX/SX and CyberGuard CX/SX Hewlett-Packard Company vulnerable - 9.X and 10.X IBM Corporation vulnerable - AIX 3.2 and 4.1 NEC Corporation some systems vulnerable NeXT Software, Inc. vulnerable - versions before 4.0; will be fixed in 4.0 The Santa Cruz Operation, Inc. not vulnerable - SCO UnixWare 2.x.; SCO OpenServer 3.0, 5; SCO Open Desktop 2.x, 3.x; SCO NFS 1.x.x. Silicon Graphics, Inc. vulnerable - all versions of IRIX except 6.2 not vulnerable - IRIX 6.2 Sony Corporation vulnerable - NEWS-OS 4.2.1, 6.0.3, 6.1, and 6.1.1 Sun Microsystems, Inc. believed to be vulnerable - SunOS 4.x and Solaris 2.x --------------------------------------------------------------------------- The CERT Coordination Center thanks Andrew Gross of the San Diego Supercomputer Center for reporting this problem and Wolfgang Ley of DFN-CERT for his support in responding to this problem. --------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key CERT Contact Information ------------------------ Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included. CERT is a service mark of Carnegie Mellon University. ......................................................................... Appendix A: Vendor Information Current as of April 24, 1996 See CA-96.09.README for updated information. Below is information we have received from vendors concerning the vulnerability described in this advisory. If you do not see your vendor's name, please contact the vendor directly for information. Apple Computer, Inc. ==================== A/UX ---- An upgrade to A/UX version 3.1 (and 3.1.1) for this vulnerability is available. The upgrade replaces the rpc.statd binary with a new, improved version. It is available via anonymous FTP from ftp.support.apple.com: pub/apple_sw_updates/US/Unix/A_UX/supported/3.x/rpc.statd/rpc.statd.Z Uncompress(1) this file and replace the existing version in /etc. Modify the entry for rpc.statd in /etc/inittab to "respawn" instead of "wait". Kill the running rpc.statd and restart. Earlier versions of A/UX are not supported by this patch. Users of previous versions are encouraged to update their system or disable rpc.statd. AIX for the Apple Network Server ------------------------------- An upgrade to AIX version 4.1.4 for the Network Server which resolves this vulnerability is available. The PTF replaces the rpc.statd binary and related programs with new, improved versions. To determine if you already have APAR IX55931 on your system, run the following command: instfix -ik IX55931 Or run the following command: lslpp -h bos.net.nfs.client Your version of bos.net.nfs.client should be 4.1.4.7 or later. The PTF for this APAR is available via anonymous FTP from ftp.support.apple.com: pub/apple_sw_updates/US/Unix/AIX/supported/4.1/bos.net.nfs.client.bff Place this file in /usr/sys/inst.images or another directory of your choice. To install the PTF, start smit using the following fast path: # smit install_selectable Select the menu item "Install Fileset Updates by Fix" and provide the name of the directory in which the PTF was placed. Enter OK and in the next dialog, enter the APAR number, IX55931, in the "FIXES" item. For information about the other options in this dialog, see the manual page for installp(1). Enter OK, exit smit and restart the system. Customers should contact their reseller for any additional information. Berkeley Software Design, Inc. ============================= BSD/OS is not vulnerable. Cray Research, Inc. =================== This problem has been tracked with SPR 99983 and reported with Field notice 2107. Since statd is only available on 9.0 systems fixes have been provided for UNICOS 9.0 and higher. Data General Corporation ======================== Data General has fixed this vulnerability in DG/UX R4.11 Maintenance Update 2 (R4.11MU02). Digital Equipment Corporation ============================= At the time of writing this document, patches (binary kits) for Digital's ULTRIX operating system are being developed - V4.3 (both VAX and RISC) thru V4.5. Similar patches (binary kits) for Digital UNIX (OSF/1) versions 3.0 thru 3.2d are being tested. Digital will provide notice of the completion of the kits through AES services (DIA, DSNlink FLASH) and be available from your normal Digital Support channel. Digital's Software Security Response Team 16.APR.1996 Harris Computer Systems Corporation =================================== All versions of NightHawk CX/SX and CyberGuard CX/SX are not vulnerable. All versions of NightHawk CX/UX and PowerUX are vulnerable. Users are advised, until patches are available, to use the workaround in the advisory. Hewlett-Packard Company ======================= Vulnerable - 9.X & 10.X (i.e., all that are currently supported) Patches are in process; watch for an HP security bulletin. IBM Corporation =============== See the appropriate release below to determine your action. AIX 3.2 ------- Apply the following fix to your system: APAR - IX56056 (PTF - U441411) To determine if you have this PTF on your system, run the following command: lslpp -lB U441411 AIX 4.1 ------- Apply the following fix to your system: APAR - IX55931 To determine if you have this APAR on your system, run the following command: instfix -ik IX55931 Or run the following command: lslpp -h bos.net.nfs.client Your version of bos.net.nfs.client should be 4.1.4.7 or later. To Order -------- APARs may be ordered using FixDist or from the IBM Support Center. For more information on FixDist, reference URL: http://aix.boulder.ibm.com/pbin-usa/fixdist.pl/ or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist". NEC Corporation =============== Some systems are vulnerable. We are developing the patches and plan to put them on our anonymous FTP server. You can contact us with the following e-mail address if you need. E-mail: UX48-security-support@nec.co.jp FTP server: ftp://ftp.meshnet.or.jp NeXT Software, Inc. =================== This vulnerability will be fixed in release 4.0 of OpenStep for Mach, scheduled for 2Q96. The Santa Cruz Operation, Inc. ============================== These are not vulnerable: SCO UnixWare 2.x. SCO OpenServer 3.0, 5 SCO Open Desktop 2.x, 3.x SCO NFS 1.x.x. Silicon Graphics, Inc. ====================== All versions of IRIX earlier than 6.2 are vulnerable. IRIX 6.2 is not vulnerable. Sony Corporation ================ NEWS-OS 4.2.1 vulnerable; Patch 0124 [rpc.statd] is available. NEWS-OS 6.0.3 vulnerable; Patch SONYP6063 [lockd/statd 2] is available. NEWS-OS 6.1 vulnerable; Patch SONYP6176 [lockd/statd] is available. NEWS-OS 6.1.1 vulnerable; Patch SONYP6207 [lockd/statd] is available. Patches are available via anonymous FTP in the /pub/patch/news-os/un-official directory on ftp1.sony.co.jp [202.238.80.18]: 4.2.1a+/0124.doc describes about patch 0124 [rpc.statd] 4.2.1a+/0124_C.pch patch for NEWS-OS 4.2.1C/a+C 4.2.1a+/0124_R.pch patch for NEWS-OS 4.2.1R/RN/RD/aRD/aRS/a+R 6.0.3/SONYP6063.doc describes about patch SONYP6063 [lockd/statd 2] 6.0.3/SONYP6063.pch patch for NEWS-OS 6.0.3 6.1/SONYP6176.doc describes about patch SONYP6176 [lockd/statd] 6.1/SONYP6176.pch patch for NEWS-OS 6.1 6.1.1/SONYP6207.doc describes about patch SONYP6207 [lockd/statd] 6.1.1/SONYP6207.pch patch for NEWS-OS 6.1.1 If you need further information, contact your dealer. Sun Microsystems, Inc. ====================== SunOS 4.x and Solaris 2.x are believed to be vulnerable. When further information is available, it will be placed in CA-96.09.README. ......................................................................... Appendix B: Example Workaround Scenario The information given below was provided to the CERT/CC by Wolfgang Ley of DFN-CERT. It is reproduced here as an example of how to run the statd daemon as a user other than root on a Solaris system. This workaround may not be directly applicable on other vendor's systems, but an analogous solution may be possible. Please contact your vendor for assistance. The statd daemon under Solaris 2.4 and 2.5 starts without problems if the following steps are taken. 1) Go into single user mode (ensure rpcbind and statd are not running) 2) Create a new user, e.g., "statd" with a separate uid/gid 3) Chown statd /var/statmon/* /var/statmon/*/* 4) Chgrp statd /var/statmon/* /var/statmon/*/* 5) Edit /etc/init.d/nfs.client startup script and change the start of the statd from: /usr/lib/nfs/statd > /dev/console 2>&1 to: /usr/bin/su - statd -c "/usr/lib/nfs/statd" > /dev/console 2>&1 6) Reboot the system **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.