7460907 2001-11-05 14:32 -0500 /394 rader/ CERT Advisory <cert-advisory@cert.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-09 05:46 av Brevbäraren
Extern mottagare: cert-advisory@cert.org
Mottagare: Bugtraq (import) <19694>
Ärende: CERT Advisory CA-2001-30 Multiple Vulnerabilities in lpd
------------------------------------------------------------
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org
Message-ID: <CA-2001-30.1@cert.org>
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2001-30 Multiple Vulnerabilities in lpd
Original release date: November 05, 2001
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
* BSDi BSD/OS Version 4.1 and earlier
* Debian GNU/Linux 2.1 and 2.1r4
* FreeBSD All released versions FreeBSD 4.x, 3.x, FreeBSD
4.3-STABLE, 3.5.1-STABLE prior to the correction date
* Hewlett-Packard HP9000 Series 700/800 running HP-UX releases
10.01, 10.10, 10.20, 11.00, and 11.11
* IBM AIX Versions 4.3 and AIX 5.1
* Mandrake Linux Versions 6.0, 6.1, 7.0, 7.1
* NetBSD 1.5.2 and earlier
* OpenBSD Version 2.9 and earlier
* Red Hat Linux 6.0 all architectures
* SCO OpenServer Version 5.0.6a and earlier
* SGI IRIX 6.5-6.5.13
* Sun Solaris 8 and earlier
* SuSE Linux Versions 6.1, 6.2, 6.3, 6.4, 7.0, 7.1, 7.2
Overview
There are multiple vulnerabilities in several implementations of
the line printer daemon (lpd). The line printer daemon enables
various clients to share printers over a network. Review your
configuration to be sure you have applied all relevant
patches. We also encourage you to restrict access to the lpd
service to only authorized users.
I. Description
There are multiple vulnerabilities in several implementations of
the line printer daemon (lpd), affecting several systems. Some
of these problems have been publicly disclosed
previously. However, we believe many system and network
administrators may have overlooked one or more of these
vulnerabilities. We are issuing this document primarily to
encourage system and network administators to check their systems
for exposure to each of these vulnerabilities, even if they have
addressed some lpd vulnerabilities recently.
Most of these vulnerabilities are buffer overflows allowing a
remote intruder to gain root access to the lpd server. For the
latest and most detailed information about the known
vulnerabilities, please see the vulnerability notes linked to
below.
VU#274043 - BSD line printer daemon buffer overflow in displayq()
There is a buffer overflow in several implementations of in.lpd, a
BSD line printer daemon. An intruder can send a specially
crafted print job to the target and then request a display of
the print queue to trigger the buffer overflow. The intruder
may be able use this overflow to execute arbitrary commands
on the system with superuser privileges.
The line printer daemon must be enabled and configured
properly in order for an intruder to exploit this
vulnerability. This is, however, trivial as the line printer
daemon is commonly enabled to provide printing functionality. In
order to exploit the buffer overflow, the intruder must launch
his attack from a system that is listed in the "/etc/hosts.equiv"
or "/etc/hosts.lpd" file of the target system.
VU#388183 - IBM AIX line printer daemon buffer overflow in
kill_print()
A buffer overflow exists in the kill_print() function of the line
printer daemon (lpd) on AIX systems. An intruder could exploit this
vulnerability to obtain root privileges or cause a denial of service
(DoS). The intruder would need to be listed in the victim's
/etc/hosts.lpd or /etc/hosts.equiv file, however, to exploit this
vulnerability.
VU#722143 - IBM AIX line printer daemon buffer overflow in
send_status()
A buffer overflow exists in the send_status() function of the line
printer daemon (lpd) on AIX systems. An intruder could exploit this
vulnerability to obtain root privileges or cause a denial of service
(DoS). The intruder would need to be listed in the victim's
/etc/hosts.lpd or /etc/hosts.equiv file, however, to exploit this
vulnerability.
VU#466239 - IBM AIX line printer daemon buffer overflow in
chk_fhost()
A buffer overflow exists in the chk_fhost() function of the
line printer daemon (lpd) on AIX systems. An intruder could
exploit this vulnerability to obtain root privileges or cause a
denial of service (DoS). The intruder would need control of the
DNS server to exploit this vulnerability.
VU#39001 - line printer daemon allows options to be passed to
sendmail
There exists a vulnerability in the line printer daemon that
permits an intruder to send options to sendmail. These options
could be used to specify another configuration file allowing
an intruder to gain root access.
VU#30308 - line printer daemon hostname authentication bypassed with
spoofed DNS
A vulnerability exists in the line printer daemon (lpd) shipped
with the printer package for several systems. The authentication
method was not thorough enough. If a remote user was able to
control their own DNS so that their IP address resolved to the
hostname of the print server, access would be granted when it
should not be.
VU#966075 - Hewlett-Packard HP-UX line printer daemon buffer overflow
A buffer overflow exists in HP-UX's line printer daemon
(rlpdaemon) that may allow an intruder to execute arbitrary
code with superuser privilege on the target system. The rlpdaemon
is installed by default and is active even if it is not being
used. An intruder does not need any prior knowledge, or
privileges on the target system, in order to exploit this
vulnerability.
II. Impact
All of these vulnerabilities can be exploited remotely. In most
cases, they allow an intruder to execute arbitrary code with the
privileges of the lpd server. In some cases, an intruder must
have access to a machine listed in /etc/hosts.equiv or
/etc/hosts.lpd, and in some cases, an intruder must be able to
control a nameserver.
One vulnerability (VU#39001) allows you to specify options to
sendmail that can be used to execute arbitrary commands.
Ordinarily, this vulnerability is only exploitable from machines
that are authorized to use the lpd server. However, in conjunction
with another vulnerability (VU#30308), permitting intruders to
gain access to the lpd service, this vulnerability can be used by
intruders not normally authorized to use the lpd service.
For specific information about the impacts of each of these
vulnerabilities, please consult the CERT Vulnerability Notes Database
(http://www.kb.cert.org/vuls).
III. Solution
Apply a patch from your vendor
Appendix A contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we
will update this section and note the changes in our revision
history. If a particular vendor is not listed below, we have
not received their comments. Please contact your vendor directly.
This table represents the status of each vendor with regard to
each vulnerability. Please be aware that vendors produce multiple
products; if they are listed in this table, not all products may
be affected. If a vendor is not listed in the table below, then
their status should be considered unknown. For specific
information about the status of each of these vulnerabilities,
please consult the CERT Vulnerability Notes Database
(http://www.kb.cert.org/vuls).
+ = Affected
- - = Not Affected
? = Unknown
VU# -> |274043 |388183 |722143 |466239 |39001 |30308 |966075
Vendors ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Apple | - | ? | ? | ? | ? | ? | -
BSDI | + | ? | ? | ? | ? | ? | ?
Caldera | - | - | - | - | - | - | -
Cray | ? | - | - | - | - | ? | -
Debian | ? | ? | ? | ? | + | + | ?
Engarde | - | - | - | - | - | - | -
FreeBSD | + | - | - | - | - | - | -
Fujitsu | - | - | - | - | - | - | -
HP | ? | ? | ? | ? | ? | ? | +
IBM | - | + | + | + | - | + | -
Mandrake| ? | ? | ? | ? | + | ? | ?
NetBSD | + | ? | ? | ? | ? | ? | ?
OpenBSD | + | ? | ? | ? | ? | ? | ?
Red Hat | ? | ? | ? | ? | + | + | ?
SCO | + | ? | ? | ? | ? | ? | ?
SGI | + | ? | ? | ? | ? | ? | ?
SuSE | + | ? | ? | ? | ? | ? | ?
Sun | - | - | - | - | + | - | -
Restrict access to the lpd service
As a general practice, we recommend disabling all services that
are not explicitly required. You may wish to disable the line
printer daemon if there is not a patch available from your vendor.
If you cannot disable the service, you can limit your
exposure to these vulnerabilities by using a router or firewall to
restrict access to port 515/TCP (printer). Note that this does not
protect you against attackers from within your network.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for
this advisory. As vendors report new information to the
CERT/CC, we will update this section and note the changes in our
revision history. If a particular vendor is not listed below,
we have not received their comments.
Apple Computer, Inc.
Mac OS X does not have the line printer daemon vulnerability
issues described in these advisories.
Berkeley Software Design, Inc. (BSDI)
Some (older) versions are affected. The current (BSD/OS 4.2)
release is not vulnerable. Systems are only vulnerable to
attack from hosts which are allowed via the /etc/hosts.lpd
file (which is empty as shipped). BSD/OS 4.1 is the only
vulnerable version which is still officially supported by Wind
River Systems. A patch (M410-044) is available in the normal
locations, ftp://ftp.bsdi.com/bsdi/patches or via our web site at
http://www.bsdi.com/support
Compaq
Compaq has not been able to reproduce the problems identified in
this advisory for TRU64 UNIX. We will continue testing and
address the LPD issues if a problem is discovered and provide
patches as necessary.
Cray
Cray, Inc. has been unable to prove an lpd
vulnerability. However, it was deemed that a buffer overflow may
be possible and so did tighten up the code. See Cray SPR 721101
for more details.
Debian
http://www.debian.org/security/2000/20000109
FreeBSD, Inc.
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01%3A58.lpd.asc
Hewlett-Packard Company
Hewlett-Packard has released HPSBUX0108-163 Sec. Vulnerability in
rlpdaemon Bulletin and patches available from http://itrc.hp.com
Details to access http://itrc.hp.com are include at the last
half of any HP Bulletin.
IBM Corporation
http://www-1.ibm.com/services/continuity/recover1.nsf/4699c03b46f2d4f68525678c006d45ae/85256a3400529a8685256ac7005cf00a/$FILE/oar391.txt
Mandrake Software
http://www.linux-mandrake.com/en/updates/2000/MDKSA-2000-054.php3
NetBSD
If lpd has been enabled, this issue affects NetBSD versions 1.5.2
and prior releases, and NetBSD-current prior to August 30,
2001. lpd is disabled by default in NetBSD installations.
Detailed information will be released subsequent to the
publication of this CERT advisory.
An up-to-date PGP signed copy of the release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-018.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG and http://www.NetBSD.ORG/Security/.
OpenBSD
http://www.openbsd.org/errata29.html#lpd
RedHat Inc.
http://www.redhat.com/support/errata/RHSA2000002-01.6.0.html
Santa Cruz Operation, Inc. (SCO)
ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.20/
SGI
ftp://patches.sgi.com/support/free/security/advisories/20011003-01-P
SuSE
http://lists2.suse.com/archive/suse-security-announce/2001-Oct/0000.html
_________________________________________________________________
The CERT Coordination Center thanks Internet Security Systems and IBM
for the information provided in their advisories.
_________________________________________________________________
Feedback on this document can be directed to the author,
Jason A. Rafail
_________________________________________________________________
References
* http://www.kb.cert.org/vuls/id/274043
* http://www.kb.cert.org/vuls/id/388183
* http://www.kb.cert.org/vuls/id/722143
* http://www.kb.cert.org/vuls/id/466239
* http://www.kb.cert.org/vuls/id/39001
* http://www.kb.cert.org/vuls/id/30308
* http://www.kb.cert.org/vuls/id/966075
* http://www.kb.cert.org/vuls
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2001-30.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for
more information.
Getting security information
CERT publications and other security information are available
from our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and
bulletins, send email to majordomo@cert.org. Please include in
the body of your message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the
U.S. Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2001 Carnegie Mellon University.
Revision History
November 05, 2001: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBO+boKKCVPMXQI2HJAQFLWgP/R8K+kw9GrKp0rF5hdrsiowPOBaO716OM
M4dRX+5Ek+svlY9/P948FfU4CyKG1c4M9FzSMgoKTUmvsnB+NVFgln/d0+jMfAy0
IyzHxyp5bSbF6pbfEyyr7gy8S3xaaVyDbAmhuLAW0Kiwy1xMmOFjZLu0W+A99rf7
XMm+KQhJe6o=
=pB53
-----END PGP SIGNATURE-----
(7460907) /CERT Advisory <cert-advisory@cert.org>/(Ombruten)
Kommentar i text 7438843 av Kent Engström <kent@unit.liu.se>