CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
97.6%
Sun’s NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. An exploitable stack overflow exists in cachefsd that could permit a local attacker to execute arbitrary code with the privileges of the cachefsd, typically root.
After creating a local file on the system, an attacker can exploit a stack overflow in cachefsd to execute arbitrary code with the privileges of the cachefsd process, typically root. Sun Microsystems has released a Sun Alert Notification that addresses this issue as well as the issue described in VU#635811.
The Australian Computer Emergency Response Team has also issued an advisory related to incident activity exploiting cachefsd:
<http://www.auscert.org.au/Information/Advisories/advisory/AA-2002.01.txt>
The eSecurityOnline team has also published a report on this vulnerability:
<http://www.eSecurityOnline.com/advisories/eSO4198.asp>
This issue is also being referenced as CAN-2002-0084:
An attacker can execute code with the privileges of the cachefsd process, typically root.
The CERT/CC is currently unaware of patches for this problem.
According to the Sun Alert Notification a workaround is as follows:
_Comment out cachefsd in /etc/inetd.conf as shown below: _
_ #100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd _
_ Once the line is commented out either: _
_ - reboot, or_
_ - send a HUP signal to inetd(1M) and kill existing cachefsd processes, for example,_
_ on Solaris 2.5.1 and 2.6 do the following:_
_ $ kill -HUP <PID of inetd>_
_ $ kill <PIDs of any cachefsd processes>_
_ Solaris 7 and 8 do the following:_
_ $ pkill -HUP inetd_
_ $ pkill cachefsd _
_ The possible side effects of the workaround are: _
_ - for systems not using cachefs:_
_ There is no impact._
_ - for systems using cachefs:_
_ Only a “disconnected” operation is known to be affected by _
_ disabling cachefsd. This feature is rarely used outside of AutoClient._
_ Mounts and unmounts should still succeed though an error message _
_ may be seen, “mount -F cachefs: cachefsd is not running”._
_ There is no performance impact._
_ - for systems using AutoClient:_
_ The impact is unknown. Again, only “disconnected” mode is likely _
_ to be affected. _
161931
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: May 09, 2002
Affected
See the Sun Alert Notification which addresses this issue.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23161931 Feedback>).
Updated: May 13, 2002
Not Affected
Cray, Inc. is not vulnerable since cachefs is not supported under Unicos and Unicos/mk.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23161931 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Our thanks to AusCERT, eSecurityOnline, and the Sun Security Coordination Team, as well as Mark Dowd and Stephen James of IT Audit & Consulting for their analysis and reports about this vulnerability.
This document was written by Jason Rafail.
CVE IDs: | CVE-2002-0084 |
---|---|
Severity Metric: | 22.84 Date Public: |