Flaw Found in Sun XDR Libraries

By Michael Singer (Send Email)
Posted Mar 20, 2003


Officials with CERT Coordination Center Wednesday issued a serious warning against security holes disable servers running Sun XDR library routines from remote locations. CERT/CC officials warn of vulnerabilities caused by an integer overflow that may let intruders crash a system or cause it to leak sensitive information, such as secret keys.

Sun's Network Services library, BSD-derived libraries with XDR/RPC routines or GNU C library with sunrpc were identified as high-risk targets.

According to the dispatch, an integer overflow found in the "xdrmem_getbytes" function distributed as part of the Sun Microsystems XDR library could cause remotely exploitable buffer overflows in multiple applications. The flaw reportedly leads to the execution of arbitrary code with root privileges.

XDR, which stands for External Data Representation is a standard for the description and encoding of data. Such routines are commonly used in remote procedure call (RPC) implementations to provide transparency to application programmers who need to use common interfaces to transferring data between different computer architectures.

Specific impacts of the reported flaw include the ability to crash the RPCbind service. In addition, CERT/CC says remote intruders could also crash the MIT KRB5 kadmind or cause it to leak sensitive information, such as secret keys.

"Until patches are available and can be applied, you may wish to disable access to services or applications compiled with the vulnerable function," the group said in its statement. "As a best practice, the CERT/CC recommends disabling all services that are not explicitly required."

After the patches are installed, CERT/CC suggests administrators recompile statically linked applications using patched libraries. Applications that are dynamically linked do not need to be recompiled; however, running services need to be restarted in order to use the patched libraries.

Although the library was originally distributed by Sun, CERT/CC officials say multiple vendors have included the vulnerable code in their own implementations.

At press time, IBM said the vulnerability impacts its AIX operating system in releases 4.3.3, 5.1.0 and 5.2.0. Sun said Solaris 2.6, 7, 8 and 9 are also open to the flaw. Both companies have issued patches.

Hewlett-Packard , Cray and SGI said they were aware of the problem and were investigating the potential impact.

Engineers at Aliso Viejo, Calif.-based eEye Digital Security were the first to discover and report the flaws. However, published reports suggest that hackers may have a head start considering the notification was leaked to a security mailing list last week.

So far, CERT/CC said it has received no reports of widespread attacks based on this vulnerability.

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.