CERT: Security flaw in Sun library affects Kerberos

A security hole in the XDR (External Data Representation) Library provided to a number of vendors by Sun Microsystems Inc. could allow an attacker to execute arbitrary code on an affected system or cause a denial of service, according to an advisory released Tuesday by the CERT Coordination Center (CERT/CC).

The flaw also affects the widely used Kerberos authentication software that allows users to securely log on to remote systems.

The vulnerability exists in XDR libraries derived from SunRPC (remote procedure call) used in products from Sun, as well as from Apple Computer Inc., IBM Corp. and a number of Linux and Unix distributions, CERT/CC said. These products include those that use the Sun network service library (libnsl), the BSD-derived XDR/RPC routines (libc) and the GNU C library with sunrpc (glibc), CERT/CC said.

The XDR Library is a method of sending processes from one system to another, usually over a network connection, without regard to platform, CERT/CC said.

The security hole comes in the xdr_array component of the XDR Library, where an integer overflow problem could lead to a buffer overflow, according to CERT/CC. Were an attacker to exploit these vulnerabilities, he or she would be able to run code of their choice on the target system, CERT/CC said.

Due to the number of systems that the XDR Library is included in, attacks can cause other problems, including denials of service and information disclosure, CERT/CC said. Also potentially troublesome is the effect of the flaw on Kerberos, which could allow an attacker to gain access to a trusted Kerberos realm, CERT/CC said.

Affected software includes Apple's Mac OS X and Mac OS X Server, Debian Linux 3, IBM's AIX 4.3.3 and 5.1.0, the Kerberos software developed by the Massachusetts Institute of Technology and Sun's Solaris 2.5.1 through 9.

Users should contact their vendors to inquire about patch status. A more complete list of affected vendors and products, as well as their patch status, can be found at http://www.cert.org/advisories/CA-2002-25.html.

More about: Apple Computer, CERT, Debian, IBM, Massachusetts Institute of Technology

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/235/softperfect-network-protocol-analyzer/

SoftPerfect Network Protocol Analyzer

Publisher's notes: SoftPerfect Network Protocol Analyzer is an advanced, professional tool for analyzing, debugging, maintaining and monitoring local networks and Internet connections. It captures the ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia