Note: This is an archival copy of Security Sun Alert 201311 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000988.1.
Solaris 9 Operating System
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System
Date of Workaround Release
Date of Resolved Release
Unprivileged local or remote users may be able to gain unauthorized root access due to a buffer overflow in cachefsd.
This issue can occur in the following releases:
Failed attempts to exploit the buffer overflow will leave core files in the / directory from cachefsd. In addition, if the file /etc/cachefstab exists it may contain unusual entries. The usual entries are known cache directories, for example, /cachefs/cache0.
Comment out cachefsd in /etc/inetd.conf as shown below:
For Solaris 2.6, 7 and 8: #100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd Solaris 2.5.1: #100235/1 stream rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd
Once the line is commented out either:
- reboot, or - send a HUP signal to inetd(1M) and kill existing cachefsd processes, for example, on Solaris 2.5.1 and 2.6 do the following: $ kill -HUP <PID of inetd> $ kill <PIDs of any cachefsd processes> Solaris 7 and 8 do the following: $ pkill -HUP inetd $ pkill cachefsd
The possible side effects of the workaround are:
- for systems not using cachefs: There is no impact. - for systems using cachefs: Only the "disconnectable" mount option is known to be affected by disabling cachefsd. This feature is rarely used outside of AutoClient and is undocumented. The "disconnectable" option is specified at mount time using the usual mount syntax and is not enabled by default. If cachefsd is disabled and the file server becomes unavailable then file systems mounted as "disconnectable" will not be reconnected when the service returns. For this reason we recommend that the "disconnectable" option is not used while cachefsd is disabled. Mounts and unmounts should still succeed though an error message may be seen, e.g. mount -F cachefs: cachefsd is not running There is no performance impact. - for systems using AutoClient: In addition to the advice given for systems using cachefs: Only AutoClient systems using the "disconnectable" feature will be affected. Should the server become unavailable the root and /usr file systems will switch to disconnected mode as usual but will not be reconnected when the service returns. For this reason we recommend that the "disconnectable" option is not used with AutoClient while cachefsd is disabled on the client. If cachefsd is disabled a warning message will appear during the boot of the AutoClient system: WARNING: Timed out waiting for cachefs service to register This indicates that the cachefsd service is not available which is as expected. There is no performance impact.
This issue is addressed in the following releases:
This solution has no attachment