Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: ciacm014.htm

Multiple Vulnerabilities In LPD



M-014: UNIX - Multiple Vulnerabilities In LPD Privacy and Legal Notice

CIAC INFORMATION BULLETIN

M-014: UNIX - Multiple Vulnerabilities In LPD

[CERT Advisory CA-2001-30]

November 15, 2001 21:00 GMT

PROBLEM: Multiple vulnerabilities in the LPD printer daemon allow an intruder to perform a range of attacks from a denial of service (DOS) to a remote, root level, intrusion.
PLATFORM: BSDi BSD/OS Version 4.1 and earlier
Debian GNU/Linux 2.1 and 2.1r4
All released versions of FreeBSD 3.x and 4.x prior to 4.4-RELEASE; FreeBSD 4.3-STABLE and 3.5.1-STABLE prior to the correction date.
Hewlett-Packard HP9000 Series 700/800 running HP-UX releases 10.01, 10.10, 10.20, 11.00, and 11.11
IBM AIX Versions 4.3 and AIX 5.1
Mandrake Linux Versions 6.0, 6.1, 7.0, 7.1
NetBSD 1.5.2 and earlier
OpenBSD Version 2.9 and earlier
Red Hat Linux 6.0, 6.2 all architectures
SCO OpenServer Version 5.0.6a and earlier
SGI IRIX 6.5-6.5.13
Sun Solaris 8 and earlier
SuSE Linux Versions 6.1, 6.2, 6.3, 6.4, 7.0, 7.1, 7.2
DAMAGE: There is a range of possible damages from denial of service to remote, root exploits depending on the particular operating system and vulnerability.
SOLUTION: Check the chart in the bulletin for your particular operating system and vulnerability to determine if your system is vulnerable. Use the links to the vendor pages to get the latest patches for the LPD daemon. Administrators should also restrict access to the LPD daemon and disable it wherever it is not needed.

VULNERABILITY
ASSESSMENT:
The risk is MEDIUM to HIGH depending on the vulnerability. Some of the vulnerabilities can only be used to cause a denial of service while others can allow a remote user to get root access on a system.

LINKS:  
  CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-014.shtml
  ORIGINAL BULLETIN: http://www.cert.org/advisories/CA-2001-30.html
  PATCHES: BSDI - http://www.bsdi.com/support
Debian - http://www.debian.org/security/2000/20000109
FreeBSD - ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01%3A58.lpd.asc
HP - http://itrc.hp.com/
IBM - http://www-1.ibm.com/services/continuity/recover1.nsf/4699c03b46f2d4f68525678c006d45ae/85256a3400529a8685256ac7005cf00a/$FILE/oar391.txt
Mandrake - http://www.linux-mandrake.com/en/updates/2000/MDKSA-2000-054.php3
NetBSD - ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-018.txt.asc
OpenBSD - http://www.openbsd.org/errata29.html#lpd
RedHat - http://www.redhat.com/support/errata/RHSA2000002-01.6.0.html
- http://www.redhat.com/support/errata/RHSA-2001-147.html
SCO - ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.20/
SGI - ftp://patches.sgi.com/support/free/security/advisories/20011003-01-P
SuSE - http://lists2.suse.com/archive/suse-security-announce/2001-Oct/0000.html

[***** Start CERT Advisory CA-2001-30 *****]

CERT® Advisory CA-2001-30 Multiple Vulnerabilities in lpd

Original release date: November 05, 2001
Last revised: November 09, 2001
Source: CERT/CC

A complete revision history can be found at the end of this file.

Systems Affected

  • BSDi BSD/OS Version 4.1 and earlier
  • Debian GNU/Linux 2.1 and 2.1r4
  • All released versions of FreeBSD 3.x and 4.x prior to 4.4-RELEASE; FreeBSD 4.3-STABLE and 3.5.1-STABLE prior to the correction date.
  • Hewlett-Packard HP9000 Series 700/800 running HP-UX releases 10.01, 10.10, 10.20, 11.00, and 11.11
  • IBM AIX Versions 4.3 and AIX 5.1
  • Mandrake Linux Versions 6.0, 6.1, 7.0, 7.1
  • NetBSD 1.5.2 and earlier
  • OpenBSD Version 2.9 and earlier
  • Red Hat Linux 6.0, 6.2 all architectures
  • SCO OpenServer Version 5.0.6a and earlier
  • SGI IRIX 6.5-6.5.13
  • Sun Solaris 8 and earlier
  • SuSE Linux Versions 6.1, 6.2, 6.3, 6.4, 7.0, 7.1, 7.2

Overview

There are multiple vulnerabilities in several implementations of the line printer daemon (lpd). The line printer daemon enables various clients to share printers over a network. Review your configuration to be sure you have applied all relevant patches. We also encourage you to restrict access to the lpd service to only authorized users.

I. Description

There are multiple vulnerabilities in several implementations of the line printer daemon (lpd), affecting several systems. Some of these problems have been publicly disclosed previously. However, we believe many system and network administrators may have overlooked one or more of these vulnerabilities. We are issuing this document primarily to encourage system and network administators to check their systems for exposure to each of these vulnerabilities, even if they have addressed some lpd vulnerabilities recently.

Most of these vulnerabilities are buffer overflows allowing a remote intruder to gain root access to the lpd server. For the latest and most detailed information about the known vulnerabilities, please see the vulnerability notes linked to below.

VU#274043 - BSD line printer daemon buffer overflow in displayq()

There is a buffer overflow in several implementations of in.lpd, a BSD line printer daemon. An intruder can send a specially crafted print job to the target and then request a display of the print queue to trigger the buffer overflow. The intruder may be able use this overflow to execute arbitrary commands on the system with superuser privileges.

The line printer daemon must be enabled and configured properly in order for an intruder to exploit this vulnerability. This is, however, trivial as the line printer daemon is commonly enabled to provide printing functionality. In order to exploit the buffer overflow, the intruder must launch his attack from a system that is listed in the "/etc/hosts.equiv" or "/etc/hosts.lpd" file of the target system.

VU#388183 - IBM AIX line printer daemon buffer overflow in kill_print()

A buffer overflow exists in the kill_print() function of the line printer daemon (lpd) on AIX systems. An intruder could exploit this vulnerability to obtain root privileges or cause a denial of service (DoS). The intruder would need to be listed in the victim's /etc/hosts.lpd or /etc/hosts.equiv file, however, to exploit this vulnerability.

VU#722143 - IBM AIX line printer daemon buffer overflow in send_status()

A buffer overflow exists in the send_status() function of the line printer daemon (lpd) on AIX systems. An intruder could exploit this vulnerability to obtain root privileges or cause a denial of service (DoS). The intruder would need to be listed in the victim's /etc/hosts.lpd or /etc/hosts.equiv file, however, to exploit this vulnerability.

VU#466239 - IBM AIX line printer daemon buffer overflow in chk_fhost()

A buffer overflow exists in the chk_fhost() function of the line printer daemon (lpd) on AIX systems. An intruder could exploit this vulnerability to obtain root privileges or cause a denial of service (DoS). The intruder would need control of the DNS server to exploit this vulnerability.

VU#39001 - line printer daemon allows options to be passed to sendmail

There exists a vulnerability in the line printer daemon that permits an intruder to send options to sendmail. These options could be used to specify another configuration file, allowing an intruder to gain root access.

VU#30308 - line printer daemon hostname authentication bypassed with spoofed DNS

A vulnerability exists in the line printer daemon (lpd) shipped with the printer package for several systems. The authentication method was not thorough enough. If a remote user was able to control their own DNS so that their IP address resolved to the hostname of the print server, access would be granted when it should not be.

VU#966075 - Hewlett-Packard HP-UX line printer daemon buffer overflow

A buffer overflow exists in HP-UX's line printer daemon (rlpdaemon) that may allow an intruder to execute arbitrary code with superuser privilege on the target system. The rlpdaemon is installed by default and is active even if it is not being used. An intruder does not need any prior knowledge, or privileges on the target system, in order to exploit this vulnerability.

II. Impact

All of these vulnerabilities can be exploited remotely. In most cases, they allow an intruder to execute arbitrary code with the privileges of the lpd server. In some cases, an intruder must have access to a machine listed in /etc/hosts.equiv or /etc/hosts.lpd, and in some cases, an intruder must be able to control a nameserver.

One vulnerability (VU#39001) allows you to specify options to sendmail that can be used to execute arbitrary commands. Ordinarily, this vulnerability is only exploitable from machines that are authorized to use the lpd server. However, in conjunction with another vulnerability (VU#30308), permitting intruders to gain access to the lpd service, this vulnerability can be used by intruders not normally authorized to use the lpd service.

For specific information about the impacts of each of these vulnerabilities, please consult the CERT Vulnerability Notes Database (http://www.kb.cert.org/vuls).

III. Solution

Apply a patch from your vendor

Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly.

This table represents the status of each vendor with regard to each vulnerability. Please be aware that vendors produce multiple products; if they are listed in this table, not all products may be affected. If a vendor is not listed in the table below, then their status should be considered unknown. For specific information about the status of each of these vulnerabilities, please consult the CERT Vulnerability Notes Database (http://www.kb.cert.org/vuls).

VU#274043 VU#388183 VU#722143 VU#466239 VU#39001 VU#30308 VU#966075
Vendors Affected
Berkeley Software Design, Inc. (BSDI)
FreeBSD
NetBSD
OpenBSD
Red Hat
SCO
SGI
SuSE
IBM
IBM
IBM
Debian
Mandrake
Red Hat
Sun
Debian
IBM
Red Hat
Hewlett-Packard
Vendors Not Affected
Caldera
Engarde
Fujitsu
IBM
Sun
Apple
Caldera
Cray
Engarde
FreeBSD
Fujitsu
Red Hat
Sun
Apple
Caldera
Cray
Engarde
FreeBSD
Fujitsu
Red Hat
Sun
Apple
Caldera
Cray
Engarde
FreeBSD
Fujitsu
Red Hat
Sun
Caldera
Cray
Engarde
FreeBSD
Fujitsu
IBM
Apple
Caldera
Engarde
FreeBSD
Fujitsu
Sun
Apple
Caldera
Cray
Engarde
FreeBSD
Fujitsu
IBM
Red Hat
Sun

Restrict access to the lpd service

As a general practice, we recommend disabling all services that are not explicitly required. You may wish to disable the line printer daemon if there is not a patch available from your vendor.

If you cannot disable the service, you can limit your exposure to these vulnerabilities by using a router or firewall to restrict access to port 515/TCP (printer). Note that this does not protect you against attackers from within your network.

Appendix A. - Vendor Information

This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.

Apple Computer, Inc.

Mac OS X does not have the line printer daemon vulnerability issues described in these advisories.

Berkeley Software Design, Inc. (BSDI)

Some (older) versions are affected. The current (BSD/OS 4.2) release is not vulnerable. Systems are only vulnerable to attack from hosts which are allowed via the /etc/hosts.lpd file (which is empty as shipped).

BSD/OS 4.1 is the only vulnerable version which is still officially supported by Wind River Systems. A patch (M410-044) is available in the normal locations,
ftp://ftp.bsdi.com/bsdi/patches or via our web site at http://www.bsdi.com/support

Compaq

Compaq has not been able to reproduce the problems identified in this advisory for TRU64 UNIX. We will continue testing and address the LPD issues if a problem is discovered and provide patches as necessary.

Cray

Cray, Inc. has been unable to prove an lpd vulnerability. However, it was deemed that a buffer overflow may be possible and so did tighten up the code. See Cray SPR 721101 for more details.

Debian

http://www.debian.org/security/2000/20000109

FreeBSD, Inc.

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01%3A58.lpd.asc

Hewlett-Packard Company

Hewlett-Packard has released

HPSBUX0108-163 Sec. Vulnerability in rlpdaemon

Bulletin and patches available from
http://itrc.hp.com

Details to access http://itrc.hp.com are included at the last half of any HP Bulletin.

IBM Corporation

http://www-1.ibm.com/services/continuity/recover1.nsf/4699c03b46f2d4f68525678c006d45ae/85256a3400529a8685256ac7005cf00a/$FILE/oar391.txt

Mandrake Software

http://www.linux-mandrake.com/en/updates/2000/MDKSA-2000-054.php3

NetBSD

If lpd has been enabled, this issue affects NetBSD versions 1.5.2 and prior releases, and NetBSD-current prior to August 30, 2001. lpd is disabled by default in NetBSD installations.

Detailed information will be released subsequent to the publication of this CERT advisory.

An up-to-date PGP signed copy of the release will be maintained at

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-018.txt.asc

Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG and http://www.NetBSD.ORG/Security/.

OpenBSD

http://www.openbsd.org/errata29.html#lpd

RedHat Inc.

http://www.redhat.com/support/errata/RHSA2000002-01.6.0.html
http://www.redhat.com/support/errata/RHSA-2001-147.html

Santa Cruz Operation, Inc. (SCO)

ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.20/

SGI

ftp://patches.sgi.com/support/free/security/advisories/20011003-01-P

SuSE

http://lists2.suse.com/archive/suse-security-announce/2001-Oct/0000.html

The CERT Coordination Center thanks Internet Security Systems and IBM for the information provided in their advisories.


Feedback on this document can be directed to the author, Jason A. Rafail


References


This document is available from: http://www.cert.org/advisories/CA-2001-30.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message

subscribe cert-advisory

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.


NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
Conditions for use, disclaimers, and sponsorship information

Copyright 2001 Carnegie Mellon University.

Revision History

November 05, 2001:  Initial release

November 07, 2001:  Updated FreeBSD Systems Affected 

November 08, 2001:  Updated Red Hat Statement 

November 09, 2001:  Updated Apple Table Status 

[***** End CERT Advisory CA-2001-30 *****]




CIAC wishes to acknowledge the contributions of CERT/CC for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)

    FAX:            +1 925-423-8002

    STU-III:        +1 925-423-2604

    E-mail:          ciac@llnl.gov

    World Wide Web:  http://www.ciac.org/

                     http://ciac.llnl.gov

                     (same machine -- either one will work)

    Anonymous FTP:   ftp.ciac.org

                     ciac.llnl.gov

                     (same machine -- either one will work)


This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH