Sun XDR Library xdrmem_getbytes() Integer Overflow Vulnerability

Risk
High

Date Discovered
03-17-2003

Description
A vulnerability has been discovered in the Sun XDR library. Specifically, an integer overflow as been found in the xdrmem_getbytes() function. As a result, applications implementing the vulnerable library call may be prone to a multitude of vulnerabilities.

It should be noted that the vulnerable library code has been implemented by various libraries including BSD's libc, Glibc, and Sun Microsystem's libnsl.

Platforms Affected
Caldera OpenLinux Server 3.1
Caldera OpenLinux Server 3.1.1
Caldera OpenLinux Workstation 3.1
Caldera OpenLinux Workstation 3.1.1
Conectiva Linux ecommerce
Conectiva Linux graficas
Conectiva Linux 5.0
Conectiva Linux 5.1
Conectiva Linux 6.0
Conectiva Linux 7.0
Conectiva Linux 8.0
Debian Linux 2.2
Debian Linux 2.2 68k
Debian Linux 2.2 alpha
Debian Linux 2.2 arm
Debian Linux 2.2 IA-32
Debian Linux 2.2 powerpc
Debian Linux 2.2 sparc
Debian Linux 3.0
Debian Linux 3.0 alpha
Debian Linux 3.0 arm
Debian Linux 3.0 hppa
Debian Linux 3.0 ia-32
Debian Linux 3.0 ia-64
Debian Linux 3.0 m68k
Debian Linux 3.0 mips
Debian Linux 3.0 mipsel
Debian Linux 3.0 ppc
Debian Linux 3.0 s/390
Debian Linux 3.0 sparc
EnGarde Secure Linux 1.0.1
Gentoo Linux 0.5
Gentoo Linux 0.7
HP Secure OS software for Linux 1.0
MandrakeSoft Corporate Server 1.0.1
MandrakeSoft Linux Mandrake 7.1
MandrakeSoft Linux Mandrake 7.2
MandrakeSoft Linux Mandrake 8.0
MandrakeSoft Linux Mandrake 8.0 ppc
MandrakeSoft Linux Mandrake 8.1
MandrakeSoft Linux Mandrake 8.1 ia64
MandrakeSoft Linux Mandrake 8.2
MandrakeSoft Linux Mandrake 8.2 ppc
MandrakeSoft Linux Mandrake 9.0
MandrakeSoft Single Network Firewall 7.2
Openwall Openwall GNU/*/Linux 0.1 -stable
RedHat Linux 6.2
RedHat Linux 6.2 alpha
RedHat Linux 6.2 i386
RedHat Linux 6.2 sparc
RedHat Linux 6.2 sparcv9
RedHat Linux 7.0
RedHat Linux 7.0 alpha
RedHat Linux 7.0 alphaev6
RedHat Linux 7.0 i386
RedHat Linux 7.0 i686
RedHat Linux 7.1
RedHat Linux 7.1 alpha
RedHat Linux 7.1 alphaev6
RedHat Linux 7.1 i386
RedHat Linux 7.1 i686
RedHat Linux 7.1 ia64
RedHat Linux 7.2
RedHat Linux 7.2 i386
RedHat Linux 7.2 i686
RedHat Linux 7.2 ia64
RedHat Linux 7.3
RedHat Linux 7.3 i386
RedHat Linux 8.0
RedHat Linux 8.0 i386
S.u.S.E. Linux 6.4
S.u.S.E. Linux 6.4 alpha
S.u.S.E. Linux 6.4 i386
S.u.S.E. Linux 6.4 ppc
S.u.S.E. Linux 7.0
S.u.S.E. Linux 7.0 alpha
S.u.S.E. Linux 7.0 i386
S.u.S.E. Linux 7.0 ppc
S.u.S.E. Linux 7.0 sparc
S.u.S.E. Linux 7.1
S.u.S.E. Linux 7.1 alpha
S.u.S.E. Linux 7.1 ppc
S.u.S.E. Linux 7.1 sparc
S.u.S.E. Linux 7.1 x86
S.u.S.E. Linux 7.2
S.u.S.E. Linux 7.2 i386
S.u.S.E. Linux 7.3
S.u.S.E. Linux 7.3 i386
S.u.S.E. Linux 7.3 ppc
S.u.S.E. Linux 7.3 sparc
S.u.S.E. Linux 8.0
S.u.S.E. Linux 8.0 i386
S.u.S.E. Linux Database Server
S.u.S.E. Linux Enterprise Server 7
S.u.S.E. Linux Enterprise Server for S/390
S.u.S.E. Linux Firewall on CD
S.u.S.E. SuSE eMail Server III
Slackware Linux 8.1
Trustix Secure Linux 1.0 1
Trustix Secure Linux 1.1
Trustix Secure Linux 1.2
Trustix Secure Linux 1.5

Components Affected
Cray UNICOS 6.0 E
Cray UNICOS 6.0
Cray UNICOS 6.1
Cray UNICOS 7.0
Cray UNICOS 8.0
Cray UNICOS 8.3
Cray UNICOS 9.0
Cray UNICOS 9.0.2 .5
Cray UNICOS 9.2 .4
Cray UNICOS 9.2
FreeBSD FreeBSD 4.0
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.1.1 -STABLE
FreeBSD FreeBSD 4.1.1 -RELEASE
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.2 -STABLE
FreeBSD FreeBSD 4.2 -RELEASE
FreeBSD FreeBSD 4.2
FreeBSD FreeBSD 4.3 -STABLE
FreeBSD FreeBSD 4.3 -RELEASE
FreeBSD FreeBSD 4.3
FreeBSD FreeBSD 4.4 -STABLE
FreeBSD FreeBSD 4.4
FreeBSD FreeBSD 4.5 -STABLE
FreeBSD FreeBSD 4.5 -RELEASE
FreeBSD FreeBSD 4.5
FreeBSD FreeBSD 4.6 -STABLE
FreeBSD FreeBSD 4.6 -RELEASE
FreeBSD FreeBSD 4.6
FreeBSD FreeBSD 4.6.2
FreeBSD FreeBSD 4.7 -STABLE
FreeBSD FreeBSD 4.7 -RELEASE
FreeBSD FreeBSD 4.7
FreeBSD FreeBSD 5.0
GNU glibc 2.1
GNU glibc 2.1.1
GNU glibc 2.1.2
GNU glibc 2.1.3
GNU glibc 2.2
GNU glibc 2.2.1
GNU glibc 2.2.2
GNU glibc 2.2.3
GNU glibc 2.2.4
GNU glibc 2.2.5
GNU glibc 2.3
GNU glibc 2.3.1
GNU glibc 2.3.2
HP HP-UX 10.20 Series 800
HP HP-UX 10.20 Series 700
HP HP-UX 10.20
HP HP-UX 10.24
HP HP-UX 11.0 4
HP HP-UX 11.0
HP HP-UX 11.11
HP HP-UX 11.20
HP HP-UX 11.22
IBM AIX 4.3.3
IBM AIX 5.1
IBM AIX 5.2
MIT Kerberos 5 1.2
MIT Kerberos 5 1.2.1
MIT Kerberos 5 1.2.2
MIT Kerberos 5 1.2.3
MIT Kerberos 5 1.2.4
MIT Kerberos 5 1.2.5
MIT Kerberos 5 1.2.6
MIT Kerberos 5 1.2.7
OpenAFS OpenAFS 1.0
OpenAFS OpenAFS 1.0.1
OpenAFS OpenAFS 1.0.2
OpenAFS OpenAFS 1.0.3
OpenAFS OpenAFS 1.0.4 a
OpenAFS OpenAFS 1.0.4
OpenAFS OpenAFS 1.1
OpenAFS OpenAFS 1.1.1 a
OpenAFS OpenAFS 1.1.1
OpenAFS OpenAFS 1.2
OpenAFS OpenAFS 1.2.1
OpenAFS OpenAFS 1.2.2 b
OpenAFS OpenAFS 1.2.2 a
OpenAFS OpenAFS 1.2.2
OpenAFS OpenAFS 1.2.3
OpenAFS OpenAFS 1.2.4
OpenAFS OpenAFS 1.2.5
OpenAFS OpenAFS 1.2.6
OpenAFS OpenAFS 1.3
OpenAFS OpenAFS 1.3.1
OpenAFS OpenAFS 1.3.2
OpenBSD OpenBSD 2.0
OpenBSD OpenBSD 2.1
OpenBSD OpenBSD 2.2
OpenBSD OpenBSD 2.3
OpenBSD OpenBSD 2.4
OpenBSD OpenBSD 2.5
OpenBSD OpenBSD 2.6
OpenBSD OpenBSD 2.7
OpenBSD OpenBSD 2.8
OpenBSD OpenBSD 2.9
OpenBSD OpenBSD 3.0
OpenBSD OpenBSD 3.1
OpenBSD OpenBSD 3.2
SGI IRIX 6.5
SGI IRIX 6.5.1
SGI IRIX 6.5.2 m
SGI IRIX 6.5.2 f
SGI IRIX 6.5.2
SGI IRIX 6.5.3 m
SGI IRIX 6.5.3 f
SGI IRIX 6.5.3
SGI IRIX 6.5.4 m
SGI IRIX 6.5.4 f
SGI IRIX 6.5.4
SGI IRIX 6.5.5 m
SGI IRIX 6.5.5 f
SGI IRIX 6.5.5
SGI IRIX 6.5.6 m
SGI IRIX 6.5.6 f
SGI IRIX 6.5.6
SGI IRIX 6.5.7 m
SGI IRIX 6.5.7 f
SGI IRIX 6.5.7
SGI IRIX 6.5.8 m
SGI IRIX 6.5.8 f
SGI IRIX 6.5.8
SGI IRIX 6.5.9 m
SGI IRIX 6.5.9 f
SGI IRIX 6.5.9
SGI IRIX 6.5.10 m
SGI IRIX 6.5.10 f
SGI IRIX 6.5.10
SGI IRIX 6.5.11 m
SGI IRIX 6.5.11 f
SGI IRIX 6.5.11
SGI IRIX 6.5.12 m
SGI IRIX 6.5.12 f
SGI IRIX 6.5.12
SGI IRIX 6.5.13 m
SGI IRIX 6.5.13 f
SGI IRIX 6.5.13
SGI IRIX 6.5.14 m
SGI IRIX 6.5.14 f
SGI IRIX 6.5.14
SGI IRIX 6.5.15 m
SGI IRIX 6.5.15 f
SGI IRIX 6.5.15
SGI IRIX 6.5.16 m
SGI IRIX 6.5.16 f
SGI IRIX 6.5.16
SGI IRIX 6.5.17 m
SGI IRIX 6.5.17 f
SGI IRIX 6.5.17
SGI IRIX 6.5.18 m
SGI IRIX 6.5.18 f
SGI IRIX 6.5.18
SGI IRIX 6.5.19
SGI IRIX 6.5.20
Sun Solaris 2.5.1 _x86
Sun Solaris 2.5.1
Sun Solaris 2.6 _x86
Sun Solaris 2.6
Sun Solaris 7.0 _x86
Sun Solaris 7.0
Sun Solaris 8.0 _x86
Sun Solaris 8.0
Sun Solaris 9.0 _x86
Sun Solaris 9.0

Recommendations
Block external access at the network boundary, unless service is required by external parties.
Restrict remote access to all services from all but trusted hosts and internal networks. This may aid in preventing attempted exploitation of vulnerable applications.

Disable any unneccessary default services.
Auditing system configurations and removing all unneeded services may help prevent the exploitation of this issue.

Implement multiple redundant layers of security.
The exploitation of this and other potentially memory corruption vulnerabilities may be hindered through the use of memory protection schemes. Where possible, implement the use of non-executable and randomly mapped memory pages.

Run all software as a non-privileged user with minimal access rights.
The consequences of exploitation may be limited by running all processes with the least privileges required to function.

Sorcerer Linux has advised that users update using the following commands:

augur synch && augur update

HP has released an advisory and states that patches are forthcoming. In the interim, users are advised to download and install updated libraries from the following locations:

ftp://xdr2:xdr2@hprc.external.hp.com/
or
ftp://xdr2:xdr2@192.170.19.51/

Further details are available in the referenced advisory, HPSBUX0303-252.

MIT has released a security advisory (2003-03-18) which contains a patch for KRB5 1.2.7.

Red Hat has released a security advisory (RHSA-2003:089-00) which contains fixes addressing this issue.

CERT has released a security advisory (CA-2003-10) which contains various vendor status information. Further details are available in the attached advisory.

Sun Microsystems has confirmed that Solaris 2.6, 7, 8, and 9 are vulnerable to this issue. Reports indicate that patches are currently being developed.

The glibc 2.3.1 CVS tree has been updated to contain the necessary fixes. Further information can be found the in the attached CERT advisory.

It has been reported that IBM has released APAR IY38524, IY38434, IY39231, for AIX 4.3.3, 5.1, and 5.2 respectively. Users are advised to contact IBM support for further assistance.

FreeBSD has released an advisory (FreeBSD-SA-03:05) containing patches for version 4.6, 4.7, and 5.0. Users are advised to upgrade as soon as possible.

Sun has acknowledged this vulnerability as a denial of service, and has stated that fixes are forthcoming.

EnGarde has released a security advisory (ESA-20030321-010) containing a fix for this issue.

Debian has released a security advisory [DSA 266-1] containing fixes for this issue. See the advisory in the References section for links to fixed packages.



Cray UNICOS 6.0 E:
Cray UNICOS 6.0:
Cray UNICOS 6.1:
Cray UNICOS 7.0:
Cray UNICOS 8.0:
Cray UNICOS 8.3:
Cray UNICOS 9.0:
Cray UNICOS 9.0.2 .5:
Cray UNICOS 9.2 .4:
Cray UNICOS 9.2:
FreeBSD FreeBSD 4.0:
FreeBSD FreeBSD 4.1:
FreeBSD FreeBSD 4.1.1 -STABLE:
FreeBSD FreeBSD 4.1.1 -RELEASE:
FreeBSD FreeBSD 4.1.1:
FreeBSD FreeBSD 4.2 -STABLE:
FreeBSD FreeBSD 4.2 -RELEASE:
FreeBSD FreeBSD 4.2:
FreeBSD FreeBSD 4.3 -STABLE:
FreeBSD FreeBSD 4.3 -RELEASE:
FreeBSD FreeBSD 4.3:
FreeBSD FreeBSD 4.4 -STABLE:
FreeBSD FreeBSD 4.4:
FreeBSD FreeBSD 4.5 -STABLE:
FreeBSD FreeBSD 4.5 -RELEASE:
FreeBSD FreeBSD 4.5:
FreeBSD FreeBSD 4.6 -STABLE:
FreeBSD FreeBSD 4.6 -RELEASE:
FreeBSD FreeBSD 4.6:

FreeBSD Patch xdr-4.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-4.patch

FreeBSD Patch xdr-4.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-4.patch

FreeBSD Patch xdr-5.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-5.patch

GNU Upgrade glibc-2.2.4-26.i386.rpm
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-013.0/RPMS/glibc-2.2.4-26.i386.rpm

GNU Upgrade glibc-localedata-2.2.4-26.i386.rpm
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-013.0/RPMS/glibc-localedata-2.2.4-26.i386.rpm

GNU Upgrade glibc-devel-static-2.2.4-26.i386.rpm
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-013.0/RPMS/glibc-devel-static-2.2.4-26.i386.rpm

GNU Upgrade glibc-devel-2.2.4-26.i386.rpm
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-013.0/RPMS/glibc-devel-2.2.4-26.i386.rpm

GNU Upgrade glibc-devel-static-2.2.4-26.i386.rpm
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-013.0/RPMS/glibc-devel-static-2.2.4-26.i386.rpm

GNU Upgrade glibc-devel-2.2.4-26.i386.rpm
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-013.0/RPMS/glibc-devel-2.2.4-26.i386.rpm

GNU Upgrade glibc-2.2.4-26.i386.rpm
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-013.0/RPMS/glibc-2.2.4-26.i386.rpm

GNU Upgrade glibc-devel-2.2.4-26.i386.rpm
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-013.0/RPMS/glibc-devel-2.2.4-26.i386.rpm

GNU Upgrade glibc-2.2.4-26.i386.rpm
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-013.0/RPMS/glibc-2.2.4-26.i386.rpm

GNU Upgrade glibc-localedata-2.2.4-26.i386.rpm
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-013.0/RPMS/glibc-localedata-2.2.4-26.i386.rpm

GNU Upgrade glibc-2.2.4-26.i386.rpm
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-013.0/RPMS/glibc-2.2.4-26.i386.rpm

GNU Upgrade glibc-localedata-2.2.4-26.i386.rpm
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-013.0/RPMS/glibc-localedata-2.2.4-26.i386.rpm

GNU Upgrade glibc-devel-static-2.2.4-26.i386.rpm
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-013.0/RPMS/glibc-devel-static-2.2.4-26.i386.rpm

GNU Upgrade glibc-localedata-2.2.4-26.i386.rpm
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-013.0/RPMS/glibc-localedata-2.2.4-26.i386.rpm

GNU Upgrade glibc-devel-static-2.2.4-26.i386.rpm
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-013.0/RPMS/glibc-devel-static-2.2.4-26.i386.rpm

GNU Upgrade glibc-devel-2.2.4-26.i386.rpm
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-013.0/RPMS/glibc-devel-2.2.4-26.i386.rpm

MIT Patch 2003-003-xdr_patch.txt
http://web.mit.edu/kerberos/www/advisories/2003-003-xdr_patch.txt

References
Source: eEye AD20030318 XDR Integer Overflow
URL: http://online.securityfocus.com/advisories/5128

Source: CERT CA-2003-10 Integer overflow in Sun RPC XDR library routines
URL: http://online.securityfocus.com/advisories/5131

Source: SCO CSSA-2003-013.0 Linux: integer overflow vulnerability in XDR/RPC routines
URL: http://online.securityfocus.com/advisories/5138

Source: Debian DSA 266-1 krb5
URL: http://online.securityfocus.com/advisories/5156

Source: EnGarde ESA-20030321-010 RPC XDR decoder vulnerability.
URL: http://online.securityfocus.com/advisories/5150

Source: FreeBSD FreeBSD-SA-03:05 remote denial-of-service in XDR encoder/dec
URL: http://online.securityfocus.com/advisories/5140

Source: HP HPSBUX0303-252 SSRT2439 Potential Security Vulnerability in xdrmem_getbytes()
URL: http://online.securityfocus.com/advisories/5127

Source: RedHat RHSA-2003:089-00 Updated glibc packages fix vulnerabilities in RPC XDR decoder
URL: http://online.securityfocus.com/advisories/5132

Source: [Sorcerer-spells] GLIBC-SORCERER2003-03-20
URL: msg://bugtraq/20030320153350.GC2324@zeus.bitstreet.net

Source: [Sorcerer-spells] KRB5-SORCERER2003-03-20
URL: msg://bugtraq/20030320153253.GB2324@zeus.bitstreet.net

Source: MITKRB5-SA-2003-003: faulty length checks in xdrmem_getbytes
URL: msg://bugtraq/ldvr893q9nv.fsf@cathode-dark-space.mit.edu

Source: RE: EEYE: XDR Integer Overflow
URL: msg://bugtraq/E5362CA2D0B90946B7B37793130B2AC434C9AB@mail.entercept.com

Source: 51884
URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F51884

Credits
The discovery of this vulnerability has been credited to Riley Hassell of eEye.

Copyright (c) 2003 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from symsecurity@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.