Sun Solaris cachefsd vulnerable to stack overflow in fscache_setup() function

Overview

Sun’s NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. An exploitable stack overflow exists in cachefsd that could permit a local attacker to execute arbitrary code with the privileges of the cachefsd, typically root.

Description

After creating a local file on the system, an attacker can exploit a stack overflow in cachefsd to execute arbitrary code with the privileges of the cachefsd process, typically root. Sun Microsystems has released a Sun Alert Notification that addresses this issue as well as the issue described in VU#635811.

The Australian Computer Emergency Response Team has also issued an advisory related to incident activity exploiting cachefsd:

<http://www.auscert.org.au/Information/Advisories/advisory/AA-2002.01.txt&gt;
The eSecurityOnline team has also published a report on this vulnerability:

<http://www.eSecurityOnline.com/advisories/eSO4198.asp&gt;
This issue is also being referenced as CAN-2002-0084:

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0084&gt;

Impact

An attacker can execute code with the privileges of the cachefsd process, typically root.

---

Solution

The CERT/CC is currently unaware of patches for this problem.

---

According to the Sun Alert Notification a workaround is as follows:

_Comment out cachefsd in /etc/inetd.conf as shown below: _

_ #100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd _

_ Once the line is commented out either: _

_ - reboot, or_
_ - send a HUP signal to inetd(1M) and kill existing cachefsd processes, for example,_
_ on Solaris 2.5.1 and 2.6 do the following:_
_ $ kill -HUP <PID of inetd>_
_ $ kill <PIDs of any cachefsd processes>_

_ Solaris 7 and 8 do the following:_
_ $ pkill -HUP inetd_
_ $ pkill cachefsd _

_ The possible side effects of the workaround are: _

_ - for systems not using cachefs:_

_ There is no impact._

_ - for systems using cachefs:_

_ Only a “disconnected” operation is known to be affected by _
_ disabling cachefsd. This feature is rarely used outside of AutoClient._

_ Mounts and unmounts should still succeed though an error message _
_ may be seen, “mount -F cachefs: cachefsd is not running”._

_ There is no performance impact._

_ - for systems using AutoClient:_

_ The impact is unknown. Again, only “disconnected” mode is likely _
_ to be affected. _

---

Vendor Information

161931

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Sun __ Affected

Updated: May 09, 2002

Status

Affected

Vendor Statement

See the Sun Alert Notification which addresses this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23161931 Feedback>).

Cray __ Not Affected

Updated: May 13, 2002

Status

Not Affected

Vendor Statement

Cray, Inc. is not vulnerable since cachefs is not supported under Unicos and Unicos/mk.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23161931 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.auscert.org.au/Information/Advisories/advisory/AA-2002.01.txt&gt;
• <http://www.eSecurityOnline.com/advisories/eSO4198.asp&gt;
• <http://www.securityfocus.com/bid/4631&gt;
• <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0084&gt;

Acknowledgements

Our thanks to AusCERT, eSecurityOnline, and the Sun Security Coordination Team, as well as Mark Dowd and Stephen James of IT Audit & Consulting for their analysis and reports about this vulnerability.

This document was written by Jason Rafail.

Other Information

CVE IDs:	CVE-2002-0084
Severity Metric:	22.84 Date Public: