August 07, 2002, 4:20 PM — A security hole in the XDR (External Data Representation) Library provided to a number of vendors by Sun Microsystems Inc. could allow an attacker to execute arbitrary code on an affected system or cause a denial of service, according to an advisory released Tuesday by the CERT Coordination Center (CERT/CC).
The flaw also affects the widely used Kerberos authentication software that allows users to securely log on to remote systems.
The vulnerability exists in XDR libraries derived from SunRPC (remote procedure call) used in products from Sun, as well as from Apple Computer Inc., IBM Corp. and a number of Linux and Unix distributions, CERT/CC said. These products include those that use the Sun network service library (libnsl), the BSD-derived XDR/RPC routines (libc) and the GNU C library with sunrpc (glibc), CERT/CC said.
The XDR Library is a method of sending processes from one system to another, usually over a network connection, without regard to platform, CERT/CC said.
The security hole comes in the xdr_array component of the XDR Library, where an integer overflow problem could lead to a buffer overflow, according to CERT/CC. Were an attacker to exploit these vulnerabilities, he or she would be able to run code of their choice on the target system, CERT/CC said.
Due to the number of systems that the XDR Library is included in, attacks can cause other problems, including denials of service and information disclosure, CERT/CC said. Also potentially troublesome is the effect of the flaw on Kerberos, which could allow an attacker to gain access to a trusted Kerberos realm, CERT/CC said.
Affected software includes Apple's Mac OS X and Mac OS X Server, Debian Linux 3, IBM's AIX 4.3.3 and 5.1.0, the Kerberos software developed by the Massachusetts Institute of Technology and Sun's Solaris 2.5.1 through 9.
Users should contact their vendors to inquire about patch status. A more complete list of affected vendors and products, as well as their patch status, can be found at http://www.cert.org/advisories/CA-2002-25.html.