__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Calendar Manager Service Buffer Overflow Vulnerability July 16, 1999 17:00 GMT Number J-051 Last updated September 23, 1999 17:00 GMT ______________________________________________________________________________ PROBLEM: A buffer overflow vulnerability has been discovered in the Calendar Manager Service daemon, rpc.cmsd. PLATFORM: HP-9000 Series 700/800 HP-UX releases 10.2x, 10.30, 11.00. SCO UnixWare 7 is potentially vulnerable. Sun Microsystems: SunOS 5.7, 5.7_x86, 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5, 5.5_x86, 5.4, 5.4_x86, 5.3, 4.1.4, and 4.1.3_U1. CDE 1.3, 1.3_86, 1.2, 1.2_86, 1.0.2, 1.0.1. Tru64 UNIX V4.0D, V4.0E and V4.0F. DAMAGE: If exploited, an attacker may gain root access. SOLUTION: Disable the rpc.cmsd daemon or apply available patches. ______________________________________________________________________________ VULNERABILITY Risk is high. This vulnerability is being actively exploited. ASSESSMENT: Patch your systems as soon as possible. ______________________________________________________________________________ [ Update on Sept. 23, 1999 with additional patch information from Hewlett- Packard. ] [ Update on August 26, 1999 with additional patch information from Sun Microsystems. ] [ Update on August 19, 1999 with additional patch information from Compaq Computer Corporation. ] [ Start CERT Advisory ] CERT Advisory CA-99-08-cmsd Originally released: July 16, 1999 Source: CERT/CC Systems Affected * Systems running the Calendar Manager Service daemon, often named rpc.cmsd I. Description A buffer overflow vulnerability has been discovered in the Calendar Manager Service daemon, rpc.cmsd. The rpc.cmsd daemon is frequently distributed with the Common Desktop Environment (CDE) and Open Windows. II. Impact Remote and local users can execute arbitrary code with the privileges of the rpc.cmsd daemon, typically root. Under some configurations rpc.cmsd runs with an effective userid of daemon, while retaining root privileges. This vulnerability is being exploited in a significant number of incidents reported to the CERT/CC. An exploit script was posted to BUGTRAQ. III. Solution Install a patch from your vendor Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. We will update this advisory as more information becomes available. Please check the CERT/CC Web site for the most current revision. Disable the rpc.cmsd daemon If you are unable to apply patches to correct this vulnerability, you may wish to disable the rpc.cmsd daemon. If you disable rpc.cmsd, it may affect your ability to manage calendars. Appendix A: Vendor Information Hewlett-Packard Company HP is vulnerable, patches in process. IBM Corporation AIX is not vulnerable to the rpc.cmsd remote buffer overflow. IBM and AIX are registered trademarks of International Business Machines Corporation. Santa Cruz Operation, Inc. SCO is investigating this problem. The following SCO product contains CDE and is potentially vulnerable: + SCO UnixWare 7 The following SCO products do not contain CDE, and are therefore believed not to be vulnerable: + SCO UnixWare 2.1 + SCO OpenServer 5 + SCO Open Server 3.0 + SCO CMW+ SCO will provide further information and patches if necessary as soon as possible at http://www.sco.com/security. Silicon Graphics, Inc. IRIX does not have dtcm or rpc.cmsd and therefore is NOT vulnerable. UNICOS does not have dtcm or rpc.cmsd and therefore is NOT vulnerable. Sun Microsystems, Inc. The following patches are available: OpenWindows: SunOS version Patch ID _____________ _________ SunOS 5.5.1 104976-04 SunOS 5.5.1_x86 105124-03 SunOS 5.5 103251-09 SunOS 5.5_x86 103273-07 SunOS 5.3 101513-14 SunOS 4.1.4 100523-25 SunOS 4.1.3_U1 100523-25 CDE: CDE version Patch ID ___________ ________ 1.3 107022-03 1.3_x86 107023-03 1.2 105566-07 1.2_x86 105567-08 Patches for SunOS 5.4 and CDE 1.0.2 and 1.0.1 will be available within a week of the release of this advisory. Sun security patches are available at: http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-li cense&nav=pubpatches ______________________________________________________________________________ The CERT Coordination Center would like to thank Chok Poh of Sun Microsystems, David Brumley of Stanford University, and Elias Levy of Security Focus for their assistance in preparing this advisory. ______________________________________________________________________________ [ End CERT Advisory ] [ Start Compaq Update ] UPDATE: AUG. 11, 1999 TITLE: Potential Security Problem when using rpc.cmsd (calendar manager). x-ref: CERT Advisory CA-99-08 SOURCE: Compaq Computer Corporation Software Security Response Team "Compaq is broadly distributing this Security Advisory in order to bring to the attention of users of Compaq products the important security information contained in this Advisory. Compaq recommends that all users determine the applicability of this information to their individual situations and take appropriate action. Compaq does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, Compaq will not be responsible for any damages resulting from user's use or disregard of the information provided in this Advisory." - ----------------------------------------------------------------------- IMPACT: This fix was implemented in response to the recent posting of the CERT CA-99-08-cmsd advisory. - ----------------------------------------------------------------------- RESOLUTION: This potential security problem has been resolved and a patch for this problem has been made available for Tru64 UNIX V4.0D, V4.0E and V4.0F. This patch can be installed on: V4.0D Patch kit BL11 or BL12. V4.0E Patch kit BL1 or BL12. V4.0F Patch kit BL1. *This solution will be included in a future distributed release of Compaq's DIGITAL UNIX. This patch may be obtained from the World Wide Web at the following FTP address: http://www.service.digital.com/patches Patch file name: SSRT0614U_rpc_cmsd.tar.Z Use the FTP access option, select DIGITAL_UNIX directory then choose the appropriate version directory and download the patch accordingly. NOTE: There is a README file included with this patch, which contains installation instructions. Additional Considerations: If you need further information, please contact your normal Compaq Services support channel. Compaq appreciates your cooperation and patience. We regret any inconvenience applying this information may cause. As always, Compaq urges you to periodically review your system management and security procedures. Compaq will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. ____________________________________________________________ Copyright (c) Compaq Computer Corporation, 1999 All Rights Reserved. Unpublished Rights Reserved Under The Copyright Laws Of The United States. ___________________________________________________________ [ End Compaq Update ] [ Start Sun Microsystems Update ] ______________________________________________________________________________ Sun Microsystems, Inc. Security Bulletin Bulletin Number: #00188 Date: August 25, 1999 Cross-Ref: CERT CA-99-08 Title: rpc.cmsd ______________________________________________________________________________ The information contained in this Security Bulletin is provided "AS IS." Sun makes no warranties of any kind whatsoever with respect to the information contained in this Security Bulletin. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW. IN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS SECURITY BULLETIN, EVEN IF SUN MICROSYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, then such provisions are waived to the extent necessary for this disclaimer to be otherwise enforceable in such jurisdiction. ______________________________________________________________________________ 1. Bulletin Topics Sun announces the release of patches for Solaris(tm) 7, 2.6, 2.5.1, 2.5, 2.4, 2.3 (SunOS(tm) 5.7, 5.6, 5.5.1, 5.5, 5.4, 5.3), SunOS 4.1.4, and 4.1.3_U1, which relate to a vulnerability involving rpc.cmsd. Sun recommends that you: Install the OpenWindows patches listed in section 4 immediately on systems running SunOS 5.5.1, 5.5, 5.4, 5.3, 4.1.4, and 4.1.3_U1. Install the Common Desktop Environment (CDE) patches listed in section 4 immediately on systems running SunOS 5.7 and 5.6. Install the CDE patches listed in section 4 immediately on systems running SunOS 5.5.1, 5.5, and 5.4 with CDE 1.0.2 or 1.0.1 installed. 2. Who is Affected Vulnerable: SunOS 5.7, 5.7_x86, 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5, 5.5_x86, 5.4, 5.4_x86, 5.3, 4.1.4, and 4.1.3_U1. Not vulnerable: All other supported versions of SunOS. 3. Understanding the Vulnerability The rpc.cmsd is a small database manager for appointment and resource-scheduling data. Its primary client is Calendar Manager in OpenWindows, and Calendar in CDE. A buffer overflow vulnerability has been discovered which may be exploited to execute arbitrary instructions and gain root access. 4. List of Patches The following patches are available in relation to the above problem. OpenWindows: SunOS version Patch ID _____________ _________ SunOS 5.5.1 104976-04 SunOS 5.5.1_x86 105124-03 SunOS 5.5 103251-09 SunOS 5.5_x86 103273-07 SunOS 5.4 102030-10 SunOS 5.4_x86 102031-08 SunOS 5.3 101513-14 SunOS 4.1.4 100523-25 SunOS 4.1.3_U1 100523-25 CDE: SunOS versions CDE version Patch ID ______________ ___________ ________ 5.7 1.3 107022-04 5.7_x86 1.3_x86 107023-04 5.6 1.2 105566-07 5.6_x86 1.2_x86 105567-08 5.5.1, 5.5, 5.4 1.0.2 103670-07 5.5.1_x86, 5.5_x86, 5.4_x86 1.0.2_x86 103717-08 5.5, 5.4 1.0.1 103671-07 5.5_x86, 5.4_x86 1.0.1_x86 103718-08 ______________________________________________________________________________ APPENDICES A. Patches listed in this bulletin are available to all Sun customers at: http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch- license&nav=pub-patches B. Checksums for the patches listed in this bulletin are available at: ftp://sunsolve.sun.com/pub/patches/CHECKSUMS C. Sun security bulletins are available at: http://sunsolve.sun.com/pub-cgi/secBulletin.pl D. Sun Security Coordination Team's PGP key is available at: http://sunsolve.sun.com/pgpkey.txt E. To report or inquire about a security problem with Sun software, contact one or more of the following: - Your local Sun Solution Center - Your representative computer security response team, such as CERT - Sun Security Coordination Team. Send email to: security-alert@sun.com F. To receive information or subscribe to our CWS (Customer Warning System) mailing list, send email to: security-alert@sun.com with a subject line (not body) containing one of the following commands: Command Information Returned/Action Taken _______ _________________________________ help An explanation of how to get information key Sun Security Coordination Team's PGP key list A list of current security topics query [topic] The email is treated as an inquiry and is forwarded to the Security Coordination Team report [topic] The email is treated as a security report and is forwarded to the Security Coordination Team. Please encrypt sensitive mail using Sun Security Coordination Team's PGP key send topic A short status summary or bulletin. For example, to retrieve a Security Bulletin #00138, supply the following in the subject line (not body): send #138 subscribe Sender is added to our mailing list. To subscribe, supply the following in the subject line (not body): subscribe cws your-email-address Note that your-email-address should be substituted by your email address. unsubscribe Sender is removed from the CWS mailing list. ______________________________________________________________________________ Copyright 1999 Sun Microsystems, Inc. All rights reserved. Sun, Sun Microsystems, Solaris and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. This Security Bulletin may be reproduced and distributed, provided that this Security Bulletin is not modified in any way and is attributed to Sun Microsystems, Inc. and provided that such reproduction and distribution is performed for non-commercial purposes. [ End Sun Microsystems Update ] [ Start Hewlett-Packard Bulletin ] Digest Name: Daily Security Bulletins Digest Created: Thu Sep 9 3:00:02 PDT 1999 Table of Contents: Document ID Title --------------- ----------- HPSBUX9908-102 Security Vulnerability in rpc.cmsd The documents are listed below. ------------------------------------------------------------------------------- Document ID: HPSBUX9908-102 Date Loaded: 19990908 Title: Security Vulnerability in rpc.cmsd ------------------------------------------------------------------------- **REVISED 01** HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00102, 30 Aug 1999 Last Revised: 08 Sept 1999 ------------------------------------------------------------------------- The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. ------------------------------------------------------------------------- PROBLEM: Buffer overflow vulnerability in the CDE Calendar Manager Service Daemon, rpc.cmsd. PLATFORM: HP-9000 Series 700/800 HP-UX releases 10.2X, 10.30, 11.00. DAMAGE: Allows remote and local users to execute arbitrary code with root privileges. SOLUTION: **REVISED 01** Install the applicable patch. AVAILABILITY: The patches are available now. CHANGE SUMMARY: This revision affects only HP-UX 10.24 (VVOS). ------------------------------------------------------------------------- I. A. Background This problem has been reported in CERT Advisory CA-99-08. B. Fixing the problem - Install the applicable patch: For HP-UX release 10.20 PHSS_19482; ------>>>> For HP-UX release 10.24 PHSS_19702; For HP-UX release 11.00 PHSS_19483. There are significant patch dependencies for these patches. Note: HP-UX release 10.30 was a development release prior to the availability of HP-UX release 11.00. HP-UX release 10.30 will not be patched. C. To subscribe to automatically receive future NEW HP Security Bulletins from the HP Electronic Support Center via electronic mail, do the following: Use your browser to get to the HP Electronic Support Center page at: http://us-support.external.hp.com (for US, Canada, Asia-Pacific, & Latin-America) http://europe-support.external.hp.com (for Europe) Login with your user ID and password (or register for one). Remember to save the User ID assigned to you, and your password. Once you are in the Main Menu: To -subscribe- to future HP Security Bulletins, click on "Support Information Digests". To -review- bulletins already released from the main Menu, click on the "Search Technical Knowledge Database." Near the bottom of the next page, click on "Browse the HP Security Bulletin Archive". Once in the archive there is another link to our current Security Patch Matrix. Updated daily, this matrix categorizes security patches by platform/OS release, and by bulletin topic. The security patch matrix is also available via anonymous ftp: us-ffs.external.hp.com ~ftp/export/patches/hp-ux_patch_matrix D. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. Permission is granted for copying and circulating this Bulletin to Hewlett-Packard (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. HP is not liable for any misuse of this information by any third party. ________________________________________________________________________ -----End of Document ID: HPSBUX9908-102-------------------------------------- [ End Hewlett-Packard Bulletin ] ______________________________________________________________________________ CIAC wishes to acknowledge CERT, Compaq Computer Corp., Sun Microsystems, and Hewlett-Packard for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), use one of the following methods to contact CIAC: 1. Call the CIAC voice number 925-422-8193 and leave a message, or 2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or 3. Send e-mail to 4498369@skytel.com, or 4. Call 800-201-9288 for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 3. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov: subscribe list-name e.g., subscribe ciac-bulletin You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) J-041: Cisco IOS(R) Software Input Access List Leakage with NAT J-042: Web Security J-043: Creating/Installing Warning Banners J-044: Tru64/Digital UNIX (dtlogin) Security Vulnerability J-045: Vulnerability in statd exposes vulnerability in automountd J-046: HP-UX VVOS NES Vulnerability J-047: The ExploreZip Worm J-048: Malformed HTR Request Vulnerability J-049: Windows NT, Two Denial-of-Service Vulnerabilities J-050: HP-UX Visualize Conference Vulnerability -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBN8w9FLnzJzdsy3QZAQHwAwP+JviOcEmphlGHvI4HqglPLAqrs0kqYTcv lt+xdraCda+ewrmsfZVzwfsjF1d14RenwuX4ofLfC8Cvts/UVISDATLIl+KfFF70 /JHvoupfsNQ9d0/MK22Sosi+125uUZGMN+OsqKunVCcWzlKyZLIzYIb9mvNxaigf JChbWbBJvYk= =RAwW -----END PGP SIGNATURE-----