A format string vulnerability in the rwall daemon (rpc.rwalld) as implemented in some versions of Sun’s Solaris operating system poses a serious threat to users. The Carnegie Mellon-based Computer Emergency Response Team (CERT) reports that it hasn’t seen any actual exploitation or active scanning yet, but that doesn’t necessarily mean that people aren’t taking advantage of the hole—the flaw also opens a system up to internal attacks, which wouldn’t be visible to CERT. The problem, as described in CERT Advisory CA-2002-10, appears to be limited to Solaris, and Sun has already acknowledged the threat.

A number of other vulnerabilities have recently cropped up in Sun software, so this is probably a good time to take a quick look at them too:

  • According to a Sun Alert Notification, the cachefsd (cachefs daemon) in some Solaris versions contains a heap overflow flaw.
  • CERT Advisory CA-2002-03, which lists multiple vulnerabilities in SNMP, was released on Feb. 12, 2002, and on May 8, Sun disclosed that Solaris Enterprise Agent, Sun Management Center, and Sun Enterprise 10000 SSP are all vulnerable to this threat. Other Sun products are still being tested, so this SNMP problem isn’t completely under control in all Sun systems.
  • On May 2, 2002, Sun announced that a buffer overflow threat in admintool can allow local users to gain root access.
  • On May 1, 2002, Sun updated last year’s xntpd buffer overflow fix with the announcement that the Network Time Protocol daemon core dump threat also exists in Solaris 2.5.1 E10K (Enterprise 10000). This applies only to the releases prior to 2.6, which include the xntpd code.
  • In April 2002, Sun reported a buffer overflow problem in gzip version 1.2.4.

Risk level—critical
Since the rwall daemon normally has root privileges, and the vulnerability allows an attacker to run code with whatever privileges the daemon has, this can be a serious problem.

The SNMP threat is also quite dangerous because it leaves systems open to DoS attacks and possibly even penetration and code execution by a remote attacker.

Sun Solaris 2.5.1, 2.6, 7, and 8 are definitely vulnerable to both the cachefs and rwall daemon threats. CERT reports that AIX, Mac OS X, NetBSD, FreeBSD, Unicos, Compaq Tru64, and BSD/OS are not vulnerable to the rwall attack, either because they don’t include the daemon or because they use different implementations.

CERT reports that HP-UX, AIX, and SGI IRIX are not vulnerable to the cachefsd threat.

Any system using SNMP may be vulnerable to that threat, and Sun has recently published an update indicating that the company hasn’t even finished testing some products for this vulnerability, as mentioned above.

Most unpatched versions of Solaris are vulnerable to the admintool buffer overflow. The xntpd vulnerability is well known, but 2.5.1 Enterprise 10000 users may not realize that the threat applies to them also. The gzip problem is limited to Solaris 8.

Mitigating factors
Sun admits that the rwall vulnerability exists but says that it would be difficult for an outside attacker to have enough current system information to conduct a successful attack. Of course, that assertion probably wouldn’t apply to an internal attack.

The company doesn’t specifically address mitigating factors for the other threats, but they are generally less dangerous than the rwall vulnerability.

At the time of this writing, patches weren’t yet available for either the rwall or cachefsd vulnerabilities. Sun reports that it is working on both problems, so check the Sun Security Web site for links to the individual alerts and available patches.

Sun recommends disabling rpc.rwalld in inetd.conf as a temporary workaround for the rwall vulnerability. If rwalld can’t be disabled, CERT suggests using a firewall to block access to rwalld through port 32777/UDP, although this won’t provide complete protection.

A final fix is in the works for the cachefsd threat. Meanwhile, Sun offers the following workaround:

Comment out cachefsd in /etc/inetd.conf as shown below:
#100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd  cachefsd

Then reboot.

Some other options are discussed on the Solaris Web page.

Patches for the SNMP vulnerability are available for some Sun software.

Sun recommends this workaround for the admintool vulnerability:

Remove the setuid bit from the admintool binary:
# chmod u-s /usr/bin/admintool

Patches are available for both SPARC and Intel Solaris versions using xntpd. There is no workaround, but xntpd can be restarted (# /usr/init.d/xntpd start).

Until a patch is released for the gzip problem, Sun recommends downloading a beta version of gzip 1.3.2 from ftp://alpha.gnu.org/gnu/gzip/gzip-1.3.2.tar.gz.

Final word
With all the focus that’s being placed on Microsoft’s security—or lack thereof—it’s important to remember that there are bugs in all software. The larger the target, the easier it is to hit, so Microsoft keeps turning up at the top of the bug lists. But that doesn’t mean that other popular software, such as Solaris, won’t occasionally share the same vulnerabilities or have flaws of its own. If you run Solaris in a business environment, protecting your organization from those bugs is paramount for your IT department.

People have accused me of Microsoft bashing, but I just try to report what I see as evenhandedly as possible. The frequent emphasis on Microsoft here is simply due to the company’s massive market dominance. As Harry Truman once said, ”I never give them hell. I just tell the truth and they think it is hell!”