Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

CERT Cautions On Sun Cachefs Daemon

From: InfoSec News <isn () c4i org>
Date: Thu, 9 May 2002 02:12:41 -0500 (CDT)
http://siliconvalley.internet.com/news/article/0,2198,3531_1038631,00.html

By Michael Singer 
May 6, 2002

Less than a week since it warned against rwall daemon vulnerabilities,
officials with CERT Coordination Center said there are again serious
holes that may affect some Sun Microsystems (NASDAQ:SUNW) servers.

The Internet watchdog late Monday said a heap overflow in Cachefs
Daemon (cachefsd) has been identified and there are credible reports
of scanning and exploitation of Sun Solaris 2.5.1, 2.6, 7, and 8
(including SPARC and Intel (NASDAQ:INTC) Architectures) running
cachefsd.

Cachefsd, which is installed by default with the above servers, caches
requests for operations on remote file systems mounted via the use of
NFS protocol. A remote attacker can send a crafted RPC request to the
cachefsd program to exploit the vulnerability.

If left untreated, Sun said the vulnerability might leave a core dump
file in the root directory.

"The presence of the core file does not preclude the success of
subsequent attacks." A Sun Alert Notification reports. "Additionally,
if the file exists, it may contain unusual entries."

If there is a problem, the networking giant suggests a reboot, or
sending a HUP signal to inetd(1M) and kill existing cachefsd
processes.

CERT/CC said logs of exploitation attempts might resemble the
following:

* May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: 
  Segmentation Fault - core dumped 

* May 16 22:46:21 victim-host last message repeated 7 times 

* May 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: 
  Bus Error- core dumped 

* May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: 
  Segmentation Fault - core dumped 

* May 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: 
  Bus Error - core dumped 

* May 16 22:46:59 victim-host last message repeated 1 time 

* May 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: 
  Segmentation Fault - core dumped 

* May 16 22:47:07 victim-host last message repeated 3 times 

* May 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: 
  Hangup 

* May 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: 
  Segmentation Fault - core dumped


So far the vulnerability does not affect similarly classed servers 
from IBM (NYSE:IBM) or SGI (NASDAQ:SGI) 

Palo Alto, Calif.-based Sun is asking its customers to check its Alert 
Notification Web site for the latest patch information. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: