Security watch

Integer overflow
There is an integer overflow present in the xdr_array() function that is distributed as part of Sun Microsystems XDR library. This leads to remotely exploitable buffer overflows in multiple applications, leading to the execution of arbitrary code.

Multiple vendors have included the vulnerable code in their own implementations.

The XDR (external data representation) libraries are used to provide platform-independent methods for sending data from one system process to another, typically over a network connection.

The xdr_array() function in the XDR library contains an integer flow that can lead to improperly sized dynamic memory allocation.

As the XDR library is used by various vendors in a variety of applications, the flaw can lead to numerous security issues. The vulnerability can lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information. Some specific impacts reported include the ability to execute arbitrary code with root privileges (by exploiting dmispd, rpc.cmsd, or kadmind). Intruders who exploit the XDR overflow in MIT KRB5 kadmind may be able to gain control of a Key Distribution Center (KDC) and improperly authenticate to other services.

Systems Affected
Some applications using vulnerable implementations of SunRPC-derived XDR libraries.

• Sun Microsystems network services library (libnsl)
• BSD-derived libraries with XDR/RPC routines (libc)
• GNU C library with SunRPC (glibc)

Solution/Patches
The libraries can be used by multiple applications on most systems. It may be imperative to upgrade or apply multiple patches and then recompile statically linked applications. Applications that are statically linked must be recompiled using patched libraries. Applications that are dynamically linked do not need to be recompiled; however running services need to be restarted in order to use the patched libraries.

For more details check sunsolve.sun.com/security

Trojan horse version of OpenSSH
It has been reported that some copies of the source code for the OpenSSH package have been modified by an intruder and contain a Trojan horse.

The following files were modified to include the malicious code:

• openssh - 3 . 4pl . tar . gz
• openssh - 3 . 4 . tgz
• openssh - 3 . 2 . 2pl . tar . gz

The Trojan horse versions of OpenSSH contain malicious code that is run when the software is compiled. This code connects to a fixed remote server on 6667/tcp. It can then open a shell running as the user who compiled OpenSSH. Anyone who has installed OpenSSH from the OpenBSD ftp server or any mirror within that time frame should consider his system compromised. The Trojan allows the attacker to gain control of the system as the user compiling the binary. Arbitrary commands can be executed.

Systems Affected
OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been infected on the OpenBSD ftp server and potentially propagated via the normal mirroring process to other ftp servers.

Solution/Patches
Sites that have downloaded a copy of the OpenSSH distribution need to verify the authenticity of their distribution, regardless of where it was obtained.

You can use the MD5 checksums to verify the integrity of your OpenSSH source code distribution.

Vendor specific patches are available at their respective websites.

NetBSD
Both the OpenSSH in the base NetBSD system, and the OpenSSH distribution files available from ftp.netbsd.org have not been compromised with this trojan code.

NetBSD mirror sites that retrieve their copy from ftp.netbsd.org, are also unaffected.

Nortel Networks
Nortel Networks products and solutions are not affected by the vulnerabilities identified.

IBM Corporation
IBM's AIX operating system does not ship with OpenSSH—OpenSSH is available for installation on AIX via the Linux Affinity Toolkit. The packages currently available on the website do not contain the trojan code. It has been verified that the OpenSSH packages were generated from clean source packages from the OpenSSH organization.