Sun Microsystems’ Sun RPC (remote procedures call) library has been found to have a serious vulnerability in the external data representation (XDR) library. The Carnegie Mellon Computer Emergency Response Team (CERT) has warned that this code should be immediately patched wherever possible or the affected services should be disabled.

This integer overflow vulnerability in Sun’s XDR library, specifically the xdr_array(), can allow remote attackers to run arbitrary code on a system. Because of the different implementations, this flaw might also lead to a denial of service event or the disclosure of sensitive data.

Among the many programs affected by this flaw is the popular Kerberos authentication system created and maintained by MIT. Some Kerberos versions are not affected. It all depends on whether they have used the Sun XDR library.

Risk levels—critical
This is a serious flaw that is going to require a lot of administrators to take immediate action. The least dangerous situation would involve the vulnerability being used to trigger a DoS event. The worst case would allow a hacker to run the code of his or her choice on any vulnerable system.

A great many systems will have components installed that are vulnerable to this flaw. Check with your vendor for specific information if your components are not listed in this section. Their absence below does not mean that they aren’t vulnerable, unless the program or operating system is specifically listed as not being at risk. Here’s a rundown of popular software:

  • Mac OS is vulnerable.
  • Most GNU/Linux platforms are affected.
  • Red Hat is vulnerable.
  • Microsoft is checking. Since the company doesn’t use a fully compatible version of Kerberos, it may not have used the XDR library and thus may not be vulnerable. However, a determination hasn’t been made yet.
  • Silicon Graphics is checking to see whether any of its systems are affected.
  • Hewlett-Packard is also in the process of checking.
  • IBM reports that AIX 4.3.3 and 5.1.0 are vulnerable, but a patch hadn’t been released at the time this article was written.
  • MIT Kerberos 5 is vulnerable.
  • KTH and Heimdal, as well as other versions of Kerberos that do not use the Sun library, are not vulnerable.
  • Juniper Networks reports that SDX-300 Service Deployment System uses XDR, but not the Sun version, so its software doesn’t require any remediation.
  • Network Appliance NetApp systems are not affected.
  • Sun Microsystems, of course, is affected since the vulnerability lies in its library.

For those listed as still being checked, go to the vendor Web site or the official CERT advisory for the latest update.

Fix—patch where possible
The CERT advisory also lists patches for a number of vendors. Due to the wide variety of applications that make use of the XDR library, addressing the vulnerability can be a complex upgrade task requiring you to patch a number of pieces of code and recompile statically linked applications.

CERT recommends this procedure:

  1. Patch or obtain updated XDR/RPC libraries.
  2. Restart any dynamically linked services that make use of the XDR/RPC libraries.
  3. Recompile any statically linked applications using the patched or updated XDR/RPC libraries.

A Kerberos patch for standard installations is available at the Kerberos MIT site.

The patches listed below are already available. Others may have been released since this column was written, so check with your vendor’s Web site.

If there is no patch available for your application, you need to disable anything compiled using the unpatched xdr_array() function.

Final word
The dangers of using the same library over a wide array of operating systems has been amply demonstrated once again with a major flaw in Sun’s XDR library. While XDR serves a useful purpose by making it easy for different architectures to share information, that same ease means that this newly discovered flaw affects a wide range of computer systems.