| VID |
17036 |
| Severity |
30 |
| Port |
|
| Protocol |
UDP |
| Class |
RPC |
| Detailed Description |
The rpc.statd daemon is vulnerable to a remote file creation and removal attack.
rpc.statd (or simply statd on some machines) is the NFS file-locking status monitor. Remote Procedure Call (RPC) statd maintains state information in cooperation with RPC lockd to provide crash and recovery functionality for file locking across the Network File System (NFS).
Statd does not validate information received from a remote lockd. By sending to the statd service a malformed request including references to the parent directory ("../"), an attacker can provide false information to the rpc.statd, allowing the creation of a file in an arbitrary directory on the host. This can be used to overwrite pre-existing files or create new files on the host.
* NOTE: There is no method to remotely verify whether this attack has completed successfully. If the check completes without receiving an error message from the host being scanned, that system will be reported as being vulnerable. This scanner attempts to create a file called 'by_scanner.statd.vulnerability' in /tmp directory. If this file exists on the specified host after the scan is complete, then the host is vulnerable.
* References:
http://www.iss.net/security_center/static/109.php
http://www.cert.org/advisories/CA-1996-09.html
Platforms Affected:
AIX: All Versions
DG/UX: All Versions
HP-UX 10.x
HP-UX 9.x
IRIX: All Versions
NCR MP-RAS: All Versions
NEC EWS-UX/V: All Versions
NEC UP-UX/V: All Versions
NEC UX/4800: All Versions
NeXTSTEP: All Versions
Solaris: 2.4, 2.5, 2.5.1 |
| Recommendation |
Disable the 'rpc.statd' rpc service if your system is not acting as either an NFS client or server.
-- OR --
Apply the appropriate patch for your operating system.
For Hewlett-Packard:
Apply the appropriate patch for your system, as listed in Hewlett-Packard Security Bulletin HPSBUX9607-032 at http://us-support.external.hp.com/index.html. Patch numbers are also listed below, for your convenience:
Series 300/400 HP-UX 9.X: PHNE_7371 and PHNE_7372
Series 700/800 HP-UX 9.X: PHNE_7072
Series 700/800 HP-UX 10.X: PHNE_7073
Series 700 HP-UX 9.08 BLS: PHNE_8015
Series 700 HP-UX 9.09 BLS: PHNE_8016
Series 700 HP-UX 9.09+ BLS: PHNE_8017
Series 700 HP-UX 10.09 CMW: PHNE_8018
Series 700 HP-UX 10.09.01 CMW: PHNE_8019
Series 700 HP-UX 10.16 CMW: PHNE_8020
For AIX 3.2:
More information is available in APAR IX56056, available from the IBM RS/6000 Support Web site, http://techsupport.services.ibm.com/rs6000/aix.CAPARdb
For AIX 4.1:
More information is available in APAR IX55931, available from the IBM RS/6000 Support Web site, http://techsupport.services.ibm.com/rs6000/aix.CAPARdb
For Sony NEWS-OS:
Apply the appropriate patch for your system, as listed in CERT Advisory CA-1996-09, http://www.cert.org/advisories/CA-1996-09.html
For SunOS:
Apply the appropriate patch for your system, as listed in Sun Microsystems, Inc. Security Bulletin #00135, http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=secbull/135
For IRIX:
Apply the appropriate patch for your system, as listed in SGI Security Advisory 19971201-01-P, ftp://patches.sgi.com/support/free/security/advisories/19971201-01-P1391
For NCR Corporation:
Apply the appropriate patch for your system, as listed in CERT Advisory CA-1996-09, http://www.cert.org/advisories/CA-1996-09.html
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-1999-0019 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
