Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: ciacj051.txt

Calendar Manager Service Buffer Overflow Vulnerability




             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN
             Calendar Manager Service Buffer Overflow Vulnerability


July 16, 1999 17:00 GMT                                           Number J-051
Last updated September 23, 1999 17:00 GMT
______________________________________________________________________________
PROBLEM:        A buffer overflow vulnerability has been discovered in the
                Calendar Manager Service daemon, rpc.cmsd.
PLATFORM:       HP-9000 Series 700/800 HP-UX releases 10.2x, 10.30, 11.00.
                SCO UnixWare 7 is potentially vulnerable.
                Sun Microsystems:
                  SunOS 5.7, 5.7_x86, 5.6, 5.6_x86, 5.5.1, 5.5.1_x86,
                  5.5, 5.5_x86, 5.4, 5.4_x86, 5.3, 4.1.4, and 4.1.3_U1.
                  CDE 1.3, 1.3_86, 1.2, 1.2_86, 1.0.2, 1.0.1.
                Tru64 UNIX V4.0D, V4.0E and V4.0F.
DAMAGE:         If exploited, an attacker may gain root access.
SOLUTION:       Disable the rpc.cmsd daemon or apply available patches.
______________________________________________________________________________
VULNERABILITY   Risk is high.  This vulnerability is being actively exploited.
ASSESSMENT:     Patch your systems as soon as possible.
______________________________________________________________________________

[  Update on Sept. 23, 1999 with additional patch information from Hewlett-
   Packard.  ]

[  Update on August 26, 1999 with additional patch information from Sun
   Microsystems. ]

[  Update on August 19, 1999 with additional patch information from Compaq
   Computer Corporation.  ]


[  Start CERT Advisory  ]

CERT Advisory CA-99-08-cmsd

   Originally released: July 16, 1999
   Source: CERT/CC

Systems Affected

     * Systems running the Calendar Manager Service daemon, often named
       rpc.cmsd

I. Description

   A buffer overflow vulnerability has been discovered in the Calendar
   Manager Service daemon, rpc.cmsd. The rpc.cmsd daemon is frequently
   distributed with the Common Desktop Environment (CDE) and Open
   Windows.

II. Impact

   Remote and local users can execute arbitrary code with the privileges
   of the rpc.cmsd daemon, typically root. Under some configurations
   rpc.cmsd runs with an effective userid of daemon, while retaining root
   privileges.

   This vulnerability is being exploited in a significant number of
   incidents reported to the CERT/CC. An exploit script was posted to
   BUGTRAQ.

III. Solution

   Install a patch from your vendor

   Appendix A contains information provided by vendors for this advisory.
   We will update the appendix as we receive more information. If you do
   not see your vendor's name, the CERT/CC did not hear from that vendor.
   Please contact your vendor directly.

   We will update this advisory as more information becomes available.
   Please check the CERT/CC Web site for the most current revision.

   Disable the rpc.cmsd daemon

   If you are unable to apply patches to correct this vulnerability, you
   may wish to disable the rpc.cmsd daemon. If you disable rpc.cmsd, it
   may affect your ability to manage calendars.

Appendix A: Vendor Information

   Hewlett-Packard Company

   HP is vulnerable, patches in process.

   IBM Corporation

   AIX is not vulnerable to the rpc.cmsd remote buffer overflow.
          IBM and AIX are registered trademarks of International Business
          Machines Corporation.

   Santa Cruz Operation, Inc.

   SCO is investigating this problem. The following SCO product contains
          CDE and is potentially vulnerable:

          + SCO UnixWare 7

          The following SCO products do not contain CDE, and are
          therefore believed not to be vulnerable:

          + SCO UnixWare 2.1
          + SCO OpenServer 5
          + SCO Open Server 3.0
          + SCO CMW+

          SCO will provide further information and patches if necessary
          as soon as possible at http://www.sco.com/security.

   Silicon Graphics, Inc.

   IRIX does not have dtcm or rpc.cmsd and therefore is NOT vulnerable.

          UNICOS does not have dtcm or rpc.cmsd and therefore is NOT
          vulnerable.

   Sun Microsystems, Inc.

   The following patches are available:
          OpenWindows:

    SunOS version     Patch ID
    _____________     _________
    SunOS 5.5.1       104976-04
    SunOS 5.5.1_x86   105124-03
    SunOS 5.5         103251-09
    SunOS 5.5_x86     103273-07
    SunOS 5.3         101513-14
    SunOS 4.1.4       100523-25
    SunOS 4.1.3_U1    100523-25

          CDE:

    CDE version       Patch ID
    ___________       ________
    1.3               107022-03
    1.3_x86           107023-03
    1.2               105566-07
    1.2_x86           105567-08

          Patches for SunOS 5.4 and CDE 1.0.2 and 1.0.1 will be available
          within a week of the release of this advisory.

          Sun security patches are available at:

          http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-li
          cense&nav=pubpatches

______________________________________________________________________________
   The CERT Coordination Center would like to thank Chok Poh of Sun
   Microsystems, David Brumley of Stanford University, and Elias Levy of
   Security Focus for their assistance in preparing this advisory.
______________________________________________________________________________

[  End CERT Advisory  ]



[  Start Compaq Update  ]

UPDATE:                                         AUG.  11,  1999

  TITLE: Potential Security Problem when using rpc.cmsd
  (calendar manager). x-ref: CERT Advisory CA-99-08

  SOURCE: Compaq Computer Corporation
          Software Security Response Team

 "Compaq is broadly distributing this Security Advisory in order
 to bring to the attention of users of Compaq products the
 important security information contained in this Advisory.
 Compaq recommends that all users determine the applicability of
 this information to their individual situations and take
 appropriate action.

 Compaq does not warrant that this information is necessarily
 accurate or complete for all user situations and,   consequently,
 Compaq will not be responsible for any damages resulting from
 user's use or disregard of the information provided in this
 Advisory."

- -----------------------------------------------------------------------
IMPACT:

 This fix was implemented in response to the recent posting of
 the CERT CA-99-08-cmsd advisory.

- -----------------------------------------------------------------------
RESOLUTION:

 This potential security problem has been resolved and a
 patch for this problem has been made available for
 Tru64 UNIX V4.0D, V4.0E and V4.0F.

 This patch can be installed on:
 V4.0D  Patch kit BL11 or BL12.
 V4.0E  Patch kit BL1 or BL12.
 V4.0F  Patch kit BL1.

 *This solution will be included in a future distributed release of
  Compaq's DIGITAL UNIX.


  This patch may be obtained from the World Wide Web at the
  following FTP address:

       http://www.service.digital.com/patches


 Patch file name: SSRT0614U_rpc_cmsd.tar.Z

 Use the FTP access option, select DIGITAL_UNIX directory
 then choose the appropriate version directory and
 download the patch accordingly.


 NOTE: There is a README file included with this patch, which
       contains installation instructions.


 Additional Considerations:

   If you need further information, please contact your normal
   Compaq Services support channel.

   Compaq appreciates your cooperation and patience. We regret any
   inconvenience applying this information may cause.

   As always, Compaq urges you to periodically review your system
   management and security procedures.

   Compaq will continue to review and enhance the security
   features of its products and work with customers to maintain and
   improve the security and integrity of their systems.
 ____________________________________________________________
  Copyright (c) Compaq Computer Corporation, 1999 All
  Rights Reserved.
  Unpublished Rights Reserved Under The Copyright Laws Of
  The United States.
  ___________________________________________________________


[  End Compaq Update  ]


[  Start Sun Microsystems Update  ]

______________________________________________________________________________
                   Sun Microsystems, Inc. Security Bulletin

Bulletin Number:   #00188
Date:              August 25, 1999
Cross-Ref:         CERT CA-99-08
Title:             rpc.cmsd
______________________________________________________________________________
The information contained in this Security Bulletin is provided "AS IS."
Sun makes no warranties of any kind whatsoever with respect to the information
contained in this Security Bulletin. ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR
IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE
HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.

IN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE,
PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL
OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY
ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN
THIS SECURITY BULLETIN, EVEN IF SUN MICROSYSTEMS, INC. HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES.

If any of the above provisions are held to be in violation of applicable law,
void, or unenforceable in any jurisdiction, then such provisions are waived
to the extent necessary for this disclaimer to be otherwise enforceable in
such jurisdiction.
______________________________________________________________________________

1.  Bulletin Topics

    Sun announces the release of patches for Solaris(tm) 7, 2.6, 2.5.1,
    2.5, 2.4, 2.3 (SunOS(tm) 5.7, 5.6, 5.5.1, 5.5, 5.4, 5.3), SunOS 4.1.4,
    and 4.1.3_U1, which relate to a vulnerability involving rpc.cmsd.

    Sun recommends that you:

      Install the OpenWindows patches listed in section 4 immediately on
      systems running SunOS 5.5.1, 5.5, 5.4, 5.3, 4.1.4, and 4.1.3_U1.

      Install the Common Desktop Environment (CDE) patches listed in
      section 4 immediately on systems running SunOS 5.7 and 5.6.

      Install the CDE patches listed in section 4 immediately on systems
      running SunOS 5.5.1, 5.5, and 5.4 with CDE 1.0.2 or 1.0.1 installed.

2.  Who is Affected

    Vulnerable:     SunOS 5.7, 5.7_x86, 5.6, 5.6_x86, 5.5.1, 5.5.1_x86,
                          5.5, 5.5_x86, 5.4, 5.4_x86, 5.3,
                          4.1.4, and 4.1.3_U1.

    Not vulnerable: All other supported versions of SunOS.

3.  Understanding the Vulnerability

    The rpc.cmsd is a small database manager for appointment and
    resource-scheduling data. Its primary client is Calendar Manager
    in OpenWindows, and Calendar in CDE. A buffer overflow vulnerability
    has been discovered which may be exploited to execute arbitrary
    instructions and gain root access.

4.  List of Patches

    The following patches are available in relation to the above problem.

    OpenWindows:

    SunOS version             Patch ID
    _____________             _________

    SunOS 5.5.1         104976-04
    SunOS 5.5.1_x86     105124-03
    SunOS 5.5           103251-09
    SunOS 5.5_x86       103273-07
    SunOS 5.4           102030-10
    SunOS 5.4_x86       102031-08
    SunOS 5.3           101513-14
    SunOS 4.1.4         100523-25
    SunOS 4.1.3_U1      100523-25

    CDE:

    SunOS versions                  CDE version Patch ID
    ______________                  ___________ ________

    5.7                             1.3         107022-04
    5.7_x86                         1.3_x86     107023-04
    5.6                             1.2         105566-07
    5.6_x86                         1.2_x86     105567-08
    5.5.1, 5.5, 5.4                 1.0.2       103670-07
    5.5.1_x86, 5.5_x86, 5.4_x86     1.0.2_x86   103717-08
    5.5, 5.4                        1.0.1       103671-07
    5.5_x86, 5.4_x86                1.0.1_x86   103718-08

______________________________________________________________________________
APPENDICES

A.  Patches listed in this bulletin are available to all Sun customers at:

    http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-
license&nav=pub-patches

B.  Checksums for the patches listed in this bulletin are available at:

    ftp://sunsolve.sun.com/pub/patches/CHECKSUMS

C.  Sun security bulletins are available at:

    http://sunsolve.sun.com/pub-cgi/secBulletin.pl

D.  Sun Security Coordination Team's PGP key is available at:

    http://sunsolve.sun.com/pgpkey.txt

E.  To report or inquire about a security problem with Sun software, contact
    one or more of the following:

        - Your local Sun Solution Center
        - Your representative computer security response team, such as CERT
        - Sun Security Coordination Team. Send email to:

                security-alert@sun.com

F.  To receive information or subscribe to our CWS (Customer Warning System)
    mailing list, send email to:

                security-alert@sun.com

    with a subject line (not body) containing one of the following commands:

        Command         Information Returned/Action Taken
        _______         _________________________________

        help            An explanation of how to get information

        key             Sun Security Coordination Team's PGP key

        list            A list of current security topics

        query [topic]   The email is treated as an inquiry and is forwarded to
                        the Security Coordination Team

        report [topic]  The email is treated as a security report and is
                        forwarded to the Security Coordination Team. Please
                        encrypt sensitive mail using Sun Security Coordination
                        Team's PGP key

        send topic      A short status summary or bulletin. For example, to
                        retrieve a Security Bulletin #00138, supply the
                        following in the subject line (not body):

                                send #138

        subscribe       Sender is added to our mailing list.  To subscribe,
                        supply the following in the subject line (not body):

                                subscribe cws your-email-address

                        Note that your-email-address should be substituted
                        by your email address.

        unsubscribe     Sender is removed from the CWS mailing list.
______________________________________________________________________________

Copyright 1999 Sun Microsystems, Inc. All rights reserved. Sun,
Sun Microsystems, Solaris and SunOS are trademarks or registered trademarks
of Sun Microsystems, Inc. in the United States and other countries. This
Security Bulletin may be reproduced and distributed, provided that this
Security Bulletin is not modified in any way and is attributed to
Sun Microsystems, Inc. and provided that such reproduction and distribution
is performed for non-commercial purposes.


[  End Sun Microsystems Update  ]


[  Start Hewlett-Packard Bulletin  ]

Digest Name:  Daily Security Bulletins Digest
    Created:  Thu Sep  9  3:00:02 PDT 1999

Table of Contents:

Document ID      Title
---------------  -----------
HPSBUX9908-102   Security Vulnerability in rpc.cmsd

The documents are listed below.
-------------------------------------------------------------------------------

Document ID:  HPSBUX9908-102
Date Loaded:  19990908
      Title:  Security Vulnerability in rpc.cmsd

-------------------------------------------------------------------------
**REVISED 01** HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00102, 30 Aug 1999
Last Revised: 08 Sept 1999
-------------------------------------------------------------------------

The information in the following Security Bulletin should be acted upon
as soon as possible.  Hewlett-Packard Company will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.

-------------------------------------------------------------------------
PROBLEM:  Buffer overflow vulnerability in the CDE Calendar Manager
          Service Daemon, rpc.cmsd.

PLATFORM: HP-9000 Series 700/800 HP-UX releases 10.2X, 10.30, 11.00.

DAMAGE:   Allows remote and local users to execute arbitrary code with
          root privileges.

SOLUTION: **REVISED 01**
          Install the applicable patch.

AVAILABILITY: The patches are available now.
CHANGE SUMMARY: This revision affects only HP-UX 10.24 (VVOS).
-------------------------------------------------------------------------
I.
   A. Background
      This problem has been reported in CERT Advisory CA-99-08.

   B. Fixing the problem - Install the applicable patch:
             For HP-UX release 10.20         PHSS_19482;
------>>>>   For HP-UX release 10.24         PHSS_19702;
             For HP-UX release 11.00         PHSS_19483.
      There are significant patch dependencies for these patches.

      Note:  HP-UX release 10.30 was a development release prior to
             the availability of HP-UX release 11.00.  HP-UX release
             10.30 will not be patched.

   C. To subscribe to automatically receive future NEW HP Security
      Bulletins from the HP Electronic Support Center via electronic
      mail, do the following:

      Use your browser to get to the HP Electronic Support Center page
      at:

        http://us-support.external.hp.com
               (for US, Canada, Asia-Pacific, & Latin-America)
        http://europe-support.external.hp.com     (for Europe)

      Login with your user ID and password (or register for one).
      Remember to save the User ID assigned to you, and your password.
      Once you are in the Main Menu:
      To -subscribe- to future HP Security Bulletins,
        click on "Support Information Digests".
      To -review- bulletins already released from the main Menu,
        click on the "Search Technical Knowledge Database."

      Near the bottom of the next page, click on "Browse the HP
      Security Bulletin Archive".
      Once in the archive there is another link to our current Security
      Patch Matrix.  Updated daily, this matrix categorizes security
      patches by platform/OS release, and by bulletin topic.

      The security patch matrix is also available via anonymous ftp:

      us-ffs.external.hp.com
      ~ftp/export/patches/hp-ux_patch_matrix

   D. To report new security vulnerabilities, send email to

       security-alert@hp.com

      Please encrypt any exploit information using the security-alert
      PGP key, available from your local key server, or by sending a
      message with a -subject- (not body) of 'get key' (no quotes) to
      security-alert@hp.com.

     Permission is granted for copying and circulating this Bulletin to
     Hewlett-Packard (HP) customers (or the Internet community) for the
     purpose of alerting them to problems, if and only if, the Bulletin
     is not edited or changed in any way, is attributed to HP, and
     provided such reproduction and/or distribution is performed for
     non-commercial purposes.

     Any other use of this information is prohibited. HP is not liable
     for any misuse of this information by any third party.
________________________________________________________________________
-----End of Document ID:  HPSBUX9908-102--------------------------------------


[  End Hewlett-Packard Bulletin  ]

______________________________________________________________________________

CIAC wishes to acknowledge CERT, Compaq Computer Corp., Sun Microsystems,
and Hewlett-Packard for the information contained in this bulletin.
______________________________________________________________________________



CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), use one of the following methods to contact CIAC:

    1.  Call the CIAC voice number 925-422-8193 and leave a message, or

    2.  Call 888-449-8369 to send a Sky Page to the CIAC duty person or

    3.  Send e-mail to 4498369@skytel.com, or

    4.  Call 800-201-9288 for the CIAC Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)
   Modem access:        +1 (925) 423-4753 (28.8K baud)
                        +1 (925) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:

E-mail to       ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov:
        subscribe list-name
  e.g., subscribe ciac-bulletin

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email.  This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

J-041: Cisco IOS(R) Software Input Access List Leakage with NAT
J-042: Web Security
J-043: Creating/Installing Warning Banners
J-044: Tru64/Digital UNIX (dtlogin) Security Vulnerability
J-045: Vulnerability in statd exposes vulnerability in automountd
J-046: HP-UX VVOS NES Vulnerability
J-047: The ExploreZip Worm
J-048: Malformed HTR Request Vulnerability
J-049: Windows NT, Two Denial-of-Service Vulnerabilities
J-050: HP-UX Visualize Conference Vulnerability


-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBN8w9FLnzJzdsy3QZAQHwAwP+JviOcEmphlGHvI4HqglPLAqrs0kqYTcv
lt+xdraCda+ewrmsfZVzwfsjF1d14RenwuX4ofLfC8Cvts/UVISDATLIl+KfFF70
/JHvoupfsNQ9d0/MK22Sosi+125uUZGMN+OsqKunVCcWzlKyZLIzYIb9mvNxaigf
JChbWbBJvYk=
=RAwW
-----END PGP SIGNATURE-----



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH