Note: This is an archival copy of Security Sun Alert 201311 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000988.1.
Article ID : 1000988.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-04-01
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Buffer Overflow in cachefsd in Solaris

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 2.5.1
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
4338920

Date of Workaround Release
30-APR-2002

Date of Resolved Release
02-APR-2003

Impact

Unprivileged local or remote users may be able to gain unauthorized root access due to a buffer overflow in cachefsd.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 2.5.1 without patch 104849-09
  • Solaris 2.6 without patch 105693-13
  • Solaris 7 without patch 108800-02
  • Solaris 8 without patch 110896-02
  • Solaris 9 without patch 114008-01

x86 Platform

  • Solaris 2.5.1 without patch 104848-09
  • Solaris 2.6 without patch 105694-13
  • Solaris 7 without patch 108801-02
  • Solaris 8 without patch 110897-02
  • Solaris 9 without patch 114009-01

Symptoms

Failed attempts to exploit the buffer overflow will leave core files in the / directory from cachefsd. In addition, if the file /etc/cachefstab exists it may contain unusual entries. The usual entries are known cache directories, for example, /cachefs/cache0.


Workaround

Comment out cachefsd in /etc/inetd.conf as shown below: 

	For Solaris 2.6, 7 and 8:
		#100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd  cachefsd
	Solaris 2.5.1:
		#100235/1 stream rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd  cachefsd

Once the line is commented out either: 

	- reboot, or
	- send a HUP signal to inetd(1M) and kill existing cachefsd processes, for example,
	  on Solaris 2.5.1 and 2.6 do the following:
		$ kill -HUP <PID of inetd>
		$ kill <PIDs of any cachefsd processes>
	  Solaris 7 and 8 do the following:
		$ pkill -HUP inetd
		$ pkill cachefsd

The possible side effects of the workaround are: 

	- for systems not using cachefs:
		There is no impact.
	- for systems using cachefs:
		Only the "disconnectable" mount option is known to be
		affected by disabling cachefsd. This feature is rarely
		used outside of AutoClient and is undocumented.
		The "disconnectable" option is specified at mount time
		using the usual mount syntax and is not enabled by
		default.
		If cachefsd is disabled and the file server becomes
		unavailable then file systems mounted as
		"disconnectable" will not be reconnected when the
		service returns. For this reason we recommend that the
		"disconnectable" option is not used while cachefsd is
		disabled.
		Mounts and unmounts should still succeed though an
		error message may be seen, e.g.
		          mount -F cachefs: cachefsd is not running
		There is no performance impact.
	- for systems using AutoClient:
		In addition to the advice given for systems using
		cachefs:
		Only AutoClient systems using the "disconnectable"
		feature will be affected. Should the server become
		unavailable the root and /usr file systems will switch
		to disconnected mode as usual but will not be
		reconnected when the service returns. For this reason
		we recommend that the "disconnectable" option is not used
		with AutoClient while cachefsd is disabled on the
		client.
		If cachefsd is disabled a warning message will appear
		during the boot of the AutoClient system:
		     WARNING: Timed out waiting for cachefs service to register
		This indicates that the cachefsd service is not
		available which is as expected.
		There is no performance impact.

Resolution

This issue is addressed in the following releases:

SPARC

  • Solaris 2.5.1 with patch 104849-09 or later
  • Solaris 2.6 with patch 105693-13 or later
  • Solaris 7 with patch 108800-02 or later
  • Solaris 8 with patch 110896-02 or later
  • Solaris 9 with patch 114008-01 or later

x86 Platform

  • Solaris 2.5.1 with patch 104848-09 or later
  • Solaris 2.6 with patch 105694-13 or later
  • Solaris 7 with patch 108801-02 or later
  • Solaris 8 with patch 110897-02 or later
  • Solaris 9 with patch 114009-01 or later


Modification History
Date: 24-MAY-2002
  • Updated Relief/Workaround section

Date: 31-MAY-2002
  • Updated Relief/Workaround section
  • Date Released: 30-Apr-2002, 31-May-2002

Date: 06-JAN-2003
  • Updated Contributing Factors and Resolution sections

Date: 02-APR-2003
  • State: Resolved
  • Updated Contributing Factors and Resolution sections



References

110896-02
110897-02
105693-13
105694-13
108800-02
108801-02
114008-01
114009-01
104849-09
104848-09




Attachments
This solution has no attachment