A complete revision history can be found at the end of this file.
Sun's NFS/RPC file system cachefs daemon (cachefsd) is shipped and
installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and
Intel architectures). A remotely exploitable vulnerability exists in
cachefsd that could permit a remote attacker to execute arbitrary code
with the privileges of the cachefsd, typically root. The CERT/CC has
received credible reports of scanning and exploitation of Solaris systems
running cachefsd.
A remotely exploitable heap overflow exists in the cachefsd program
shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8
(SPARC and Intel architectures). Cachefsd caches requests for operations
on remote file systems mounted via the use of NFS protocol. A remote
attacker can send a crafted RPC request to the cachefsd program to exploit
the vulnerability.
Logs of exploitation attempts may resemble the following: Sun Microsystems has released a Sun
Alert Notification which addresses this issue as well as the issue
described in VU#161931.
According to the Sun
Alert Notification, failed attempts to exploit this vulnerability may
leave a core dump file in the root directory. The presence of the
core file does not preclude the success of subsequent attacks.
Additionally, if the file /etc/cachefstab exists, it may contain
unusual entries.
This issue is also being referenced as CAN-2002-0033:
A remote attacker may be able to execute code with the privileges of
the cachefsd process, typically root.
Apply a patch from your vendor Appendix
A contains information provided by vendors for this advisory.
If a patch is not available, disable cachefsd in inetd.conf
until a patch can be applied.
If disabling the cachefsd is not an option, follow the suggested
workaround in the Sun
Alert Notification.
This appendix contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will update
this section and note the changes in our revision history. If a particular
vendor is not listed below, please check the Vulnerability Note
(VU#635811) or contact your vendor
directly. For more information please contact Nortel at:
Contacts for other regions are available at
The CERT/CC acknowledges the Last Stage of Delirium Team for
discovering and reporting on this vulnerability and thanks Sun
Microsystems for their technical assistance. Feedback can be directed to the authors: Jason A.
Rafail and Jeffrey S. Havrilla
Systems Affected
Overview
I. Description
May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
May 16 22:46:21 victim-host last message repeated 7 times
May 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped
May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
May 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped
May 16 22:46:59 victim-host last message repeated 1 time
May 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
May 16 22:47:07 victim-host last message repeated 3 times
May 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup
May 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033
II. Impact
III. Solution
Appendix A. - Vendor Information
Cray, Inc.
Cray, Inc. is not vulnerable since cachefs is not supported
under Unicos and Unicos/mk.
Fujitsu
UXP/V is not vulnerable, because it does not have Cachefs
and similar functionalities.
Hewlett-Packard
HP-UX is not vulnerable because it does not use cachefsd.
IBM
IBM's AIX operating system, all versions, is not vulnerable.
Nortel Networks
Nortel Networks products and solutions using the affected
Sun Solaris operating systems do not utilize the NFS/RPC file system
cachefs daemon. Nortel Networks recommends following the mitigating
practices in Sun Microsystems Inc.'s Alert Notification.; this will not
impact these Nortel Networks products and solutions.
North America: 1-8004NORTEL or 1-800-466-7835
Europe,
Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009
www.nortelnetworks.com/help/contact/global/
SGI
SGI does not ship with SUN cachefsd, so IRIX is not
vulnerable.
Sun
See the Sun Alert Notification available at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309.
This document is available from: http://www.cert.org/advisories/CA-2002-11.html