[NILESA-20050101]: Denial of Service vulnerability due to the mountd bug
================================================================================
NileSOFT Security Advisory
--------------------------------------------------------------------------------
ID : NILESA-20050101
Title : Denial of Service vulnerability due to the mountd bug
Vendor : SCO
URL : www.sco.com
Product : UnixWare 7.1.4, 7.1.3, 7.1.1, 7.0.1 (and maybe other versions)
Severity: Moderate
Local : Yes
Remote : Yes
Date : 11 Jan. 2005
CVE ID : CAN-2004-1039
Author : Yun Jonglim / NileSOFT. Ltd(www.nilesoft.co.kr)
================================================================================
1. SUMMARY
The NFS mountd service for UnixWare OS is generally run by
the RC script(/etc/rc3.d/S22nfs) on the NFS server system's boot run-level 3.
When the NFS mountd service is run by inetd, if a NFS mount related request is
received from the remote (or local) host, inetd will repeatedly create
the mountd process and as a result increasingly consume memory.
2. VULNERABILITY DESCRIPTION
The UnixWare operating system provides the NFS mountd service by
RC script(/etc/rc3.d/S22nfs) by default. However, as shown below, the service
is registered in the inetd.conf configuration file so that the inetd daemon can
also provide the service.
# The mount server is usually started in /etc/rc.local only on machines that
# are NFS servers. It can be run by inetd as well.
#
#mountd/1 dgram rpc/udp wait root /usr/sbin/in.tcpd
/usr/lib/nfs/mountd
#mountd/1 dgram rpc/udp wait root /usr/lib/nfs/mountd mountd
By default, the mountd service registered in inetd.conf is commented out
(disabled) but the service can be enabled by removing the corresponding
'#' character and restarting inetd.(like below)
# The mount server is usually started in /etc/rc.local only on machines that
# are NFS servers. It can be run by inetd as well.
#
mountd/1 dgram rpc/udp wait root /usr/sbin/in.tcpd
/usr/lib/nfs/mountd
#mountd/1 dgram rpc/udp wait root /usr/lib/nfs/mountd mountd
Like this, when the NFS mountd service is configured to be run by inetd,
the mountd process is run when the NFS mount service related request is received
from the remote (or local) host as shown below.
showmount -e <affected_ip>
However, inetd does not created just one instance of the mountd process for the
request but repeatedly creates the process. This would cause the use of the
system memory to increase by time.
The same problem occurs regardless of which line or lines the # character is
removed. This problem has been identified for UnixWare versions 7.1.4 ~ 7.0.1
and other versions may also have this problem.
3. IMPACT
Due to the increase of the number of mountd processes, the system's memory
would become exhausted therefore resulting in system crash down.
4. REMEDY
Installation of the fixed binary packages will address this vulnerability.
Packages can be downloaded from below ftp site.
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.1
SCO had released Security Advisory SCOSA-2005.1.
http://www.sco.com/support/security/index.html
5. DISCLOSURE TIMELINE
2004/10/22 Vulnerability found and analysis
2004/11/08 CVE notified and candidate number reservation request
2004/11/16 CVE candidate reserved
2004/11/16 Vender notified and initial response
2005/01/07 Vender Confirmed and patch prepared
2005/01/11 Advisory released
6. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2004-1039 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.