Subject: FW: CERT Advisory CA-97.26 - statd
To: None <tech-security@NetBSD.ORG>
From: Simon Burge <>
List: tech-security
Date: 12/07/1997 12:59:11
I just saw this, and it mentions that NetBSD _isn't_ vulnerable because
statd isn't shipped.  It will be for the 1.3 release.  Are
we vulnerable?

------- Forwarded Message

>From  Sat Dec  6 13:30:29 1997
>Return-Path: <>
>Received: from ( [])
          by (8.8.4/8.8.4) with ESMTP
	  id NAA29757; Sat, 6 Dec 1997 13:30:28 +1100
>Received: (from majordom@localhost) by (8.8.2/8.6.9) id NAA08514 for cert-advisory-outgoing; Sat, 6 Dec 1997 13:30:25 +1100 (EST)
>X-Authentication-Warning: majordom set sender to owner-cert-advisory using -f
>Received: from ( []) by (8.8.2/8.6.9) with ESMTP id NAA08318; Sat, 6 Dec 1997 13:26:24 +1100 (EST)
>Received: (from uucp@localhost) by (8.8.2/8.6.9) id NAA01050; Sat, 6 Dec 1997 13:26:21 +1100 (EST)
>Received: from, claiming to be ""
 via SMTP by, id smtpd001026; Sat Dec  6 13:26:12 1997
>Received: (from uucp@localhost) by (8.8.2/8.6.9) id NAA16779; Sat, 6 Dec 1997 13:26:10 +1100 (EST)
>Received: from
 via SMTP by, id smtpd016745; Sat Dec  6 13:26:06 1997
>Received: (from cert-advisory@localhost) by (8.6.12/CERT) id RAA04853 for cert-advisory-queue-3; Fri, 5 Dec 1997 17:09:21 -0500
>Date: Fri, 5 Dec 1997 17:09:21 -0500
>Message-Id: <>
>From: CERT Advisory <>
>Subject: CERT Advisory CA-97.26 - statd
>Organization: CERT(sm) Coordination Center -  +1 412-268-7090
>Precedence: bulk


CERT* Advisory CA-97.26
Original issue date: Dec. 5, 1997
Last revised:

Topic: Buffer Overrun Vulnerability in statd(1M) Program

- - -----------------------------------------------------------------------------

   The text of this advisory was originally released on December 5, 1997, as
   AA-97.29, developed by the Australian Computer Emergency Response Team. To
   more widely broadcast this information, we are reprinting the AUSCERT
   advisory here with their permission. Only the contact information at the
   end has changed: AUSCERT contact information has been replaced with CERT/CC
   contact information.

   We will update this advisory as we receive additional information.
   Look for it in an "Updates" section at the end of the advisory.


AUSCERT has received information that a vulnerability exists in the
statd(1M) program, available on a variety of Unix platforms.

This vulnerability may allow local users, as well as remote users to gain
root privileges.

Exploit information involving this vulnerability has been made publicly

This vulnerability is different to the statd vulnerability described
in CERT/CC advisory CA-96.09.

The vulnerability in statd affects various vendor versions of statd.
AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.

This advisory will be updated as more information becomes available.

- - - ---------------------------------------------------------------------------

1.  Description

    AUSCERT has received information concerning a vulnerability in some
    vendor versions of the RPC server, statd(1M).

    statd provides network status monitoring.  It interacts with lockd to
    provide crash and recovery functions for the locking services on NFS.

    Due to insufficient bounds checking on input arguments which may be
    supplied by local users, as well as remote users, it is possible to
    overwrite the internal stack space of the statd program while it is
    executing a specific rpc routine.  By supplying a carefully designed
    input argument to the statd program, intruders may be able to force
    statd to execute arbitrary commands as the user running statd.  In most
    instances, this will be root.

    This vulnerability may be exploited by local users.  It can also be
    exploited remotely without the intruder requiring a valid local account
    if statd is accessible via the network.

    Sites can check whether they are running statd by:

        On system V like systems:
        # ps -fe |grep statd
        root   973     1  0 14:41:46 ?        0:00 /usr/lib/nfs/statd

        On BSD like systems:
        # ps -auxw |grep statd
        root       156  0.0  0.0   52    0 ?  IW   May  3  0:00 rpc.statd

    Specific vendor information regarding this vulnerability can be found
    in Section 3.

2.  Impact

    This vulnerability permits attackers to gain root privileges.  It can
    be exploited by local users.  It can also be exploited remotely without
    the intruder requiring a valid local account if statd is accessible
    via the network.

3.  Workarounds/Solution

    The statd program is available on many different systems.  As vendor
    patches are made available sites are encouraged to install them
    immediately (Section 3.1).

    If you are not using NFS in your environment then there is no need
    for the statd program to be running and it can be disabled (Section

3.1 Vendor information

    The following vendors have provided information concerning the
    vulnerability in statd.

        Digital Equipment Corporation
        Hewlett Packard
        IBM Corporation
        The NetBSD Project
        Red Hat Software
        Sun Microsystems

    Specific vendor information has been placed in Appendix A.

    If the statd program is required at your site and your vendor is not
    listed, you should contact your vendor directly.

    If you do not require the statd program then it should be disabled
    (Section 3.2).

3.2 Disabling statd

    The statd daemon is required as part of an NFS environment.  If you
    are not using NFS there is no need for this program and it can be
    disabled.  The statd (or rpc.statd) program is often started in the
    system initialisation scripts (such as /etc/rc* or /etc/rc*.d/*).
    If you do not require statd it should be commented out from the
    initialisation scripts.  In addition, any currently running statd
    should be identified using ps(1) and then terminated using kill(1).


Appendix A  Vendor information

The following information regarding this vulnerability for specific vendor
versions of statd has been made available to AUSCERT.  For additional
information, sites should contact their vendors directly.


No versions of BSD/OS are vulnerable to this problem.

Digital Equipment Corporation

DIGITAL UNIX V4.0 thru V4.0c

At the time of writing this document, patches (binary kits) are in progress
and final testing has been completed.  Distribution of the fix for this
problem is expected to begin soon.  Digital will provide notice of the
completion/availability of the patches through AES services (WEB, DIA,
DSNlink) and be available from your normal Digital Support channel.

                                DIGITAL EQUIPMENT CORPORATION    12/97

Hewlett Packard

This problem is in the investigation process.

IBM Corporation

AIX 3.2 and 4.1 are vulnerable to the statd buffer overflow.  However,
the buffer overflow described in this advisory was fixed when the APARs
for CERT CA-96.09 was released.  See the appropriate release below to
determine your action.

        AIX 3.2
        Apply the following fix to your system:

            APAR - IX56056 (PTF - U441411)

        To determine if you have this PTF on your system, run the following

            lslpp -lB U441411

        AIX 4.1
        Apply the following fix to your system:

            APAR - IX55931

        To determine if you have this PTF on your system, run the following

            instfix -ik IX55931

        Or run the following command:

            lslpp -h

        Your version of should be or later.

        AIX 4.2
        No APAR required.  Fix already contained in the release.

        APARs may be ordered using Electronic Fix Distribution (via
        FixDist) or from the IBM Support Center.  For more information on
        FixDist, reference URL:


        or send e-mail to with a subject of

        IBM and AIX are registered trademarks of International Business
        Machines Corporation.

The NetBSD project

NetBSD is not vulnerable to the statd buffer overflow. It does not ship
with NFS locking programs (statd/lockd).

Red Hat Linux

Red Hat Linux is not vulnerable to the statd buffer overflow.  No versions
of Red Hat Linux include statd in any form.

Sun Microsystems

The statd vulnerability has been fixed by the following patches:

        SunOS version   Patch Id
        -------------   --------

        5.5.1           104166-02
        5.5.1_x86       104167-02
        5.5             103468-03
        5.5_x86         103469-03
        5.4             102769-04
        5.4_x86         102770-04
        4.1.4           102516-06
        4.1.3_U1        101592-09

SunOS 5.6 and 5.6_x86 are not vulnerable to this problem.

The vulnerability described in this advisory is not the same as that
described in Sun Security Bulletin #135.

Sun recommended and security patches (including checksums) are available from:

AUSCERT maintains a local mirror of Sun recommended and security
patches at:

- - - ---------------------------------------------------------------------------
AUSCERT thanks Peter Marelas (The Fulcrum Consulting Group), Tim MacKenzie
(The Fulcrum Consulting Group) and CERT/CC for their assistance in the
preparation of this advisory.
- - - ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see

CERT/CC Contact Information
- - ----------------------------

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
                and are on call for emergencies during other hours.

Fax      +1 412-268-6989

Postal address
         CERT Coordination Center
         Software Engineering Institute
         Carnegie Mellon University
         Pittsburgh PA 15213-3890

Using encryption
   We strongly urge you to encrypt sensitive information sent by email. We can
   support a shared DES key or PGP. Contact the CERT/CC for more information.
   Location of CERT PGP key

Getting security information
   CERT publications and other security information are available from

   CERT advisories and bulletins are also posted on the USENET newsgroup

   To be added to our mailing list for advisories and bulletins, send
   email to
   In the subject line, type
        SUBSCRIBE  your-email-address

- - ---------------------------------------------------------------------------

Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in and .
If you do not have FTP or web access, send mail to with
"copyright" in the subject line.

*CERT is registered in the U.S. Patent and Trademark Office.

- - ---------------------------------------------------------------------------

This file:
               click on "CERT Advisories"

Revision history

Version: 2.6.2


------- End of Forwarded Message