CVE-2004-1039
CVSS5.0
发布时间 :2005-01-11 00:00:00
修订时间 :2008-09-05 16:40:10
NMCOPS    

[原文]The NFS mountd service on SCO UnixWare 7.1.1, 7.1.3, 7.1.4, and 7.0.1, and possibly other versions, when run from inetd, allows remote attackers to cause a denial of service (memory exhaustion) via a series of requests, which causes inetd to launch a separate process for each request.


[CNNVD]SCO UnixWare NFS 拒绝服务漏洞(CNNVD-200501-236)

        SCO UnixWare是一套UNIX操作系统。
        SCO UnixWare 7.1.1、7.1.3、7.1.4、7.0.1的 NFS mountd服务存在拒绝服务漏洞。其他版本可能也存在该漏洞。
        当NFS mountd以inetd运行时,远程攻击者可以通过一系列的请求致使inetd启动进程来响应每个请求,从而导致内存耗尽,产生拒绝服务。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sco:unixware:7.1.1
cpe:/o:sco:openserver:5.0.6
cpe:/o:sco:openserver:5.0.7
cpe:/o:sco:unixware:7.1.4
cpe:/o:sco:unixware:7.1.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1039
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1039
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-236
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/archive/1/386814
(VENDOR_ADVISORY)  BUGTRAQ  20050111 [NILESA-20050101]: Denial of Service vulnerability due to the mountd bug
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.1/SCOSA-2005.1.txt
(VENDOR_ADVISORY)  SCO  SCOSA-2005.1
http://www.securityfocus.com/bid/12225
(UNKNOWN)  BID  12225
http://secunia.com/advisories/13805
(UNKNOWN)  SECUNIA  13805

- 漏洞信息

SCO UnixWare NFS 拒绝服务漏洞
中危 设计错误
2005-01-11 00:00:00 2005-10-20 00:00:00
远程※本地  
        SCO UnixWare是一套UNIX操作系统。
        SCO UnixWare 7.1.1、7.1.3、7.1.4、7.0.1的 NFS mountd服务存在拒绝服务漏洞。其他版本可能也存在该漏洞。
        当NFS mountd以inetd运行时,远程攻击者可以通过一系列的请求致使inetd启动进程来响应每个请求,从而导致内存耗尽,产生拒绝服务。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.1/SCOSA-2005.1.txt

- 漏洞信息 (F35688)

NILESA-20050101.txt (PacketStormID:F35688)
2005-01-12 00:00:00
Yun Jonglim  nilesoft.co.kr
advisory,denial of service
unixware
CVE-2004-1039
[点击下载]

SCO UnixWare mountd suffers from a denial of service vulnerability. Versions 7.1.4, 7.1.3, 7.1.1, and 7.0.1 are affected.

================================================================================

                        NileSOFT Security Advisory

--------------------------------------------------------------------------------

ID          : NILESA-20050101

Title       : Denial of Service vulnerability due to the mountd bug

Vendor  : SCO

URL       : www.sco.com

Product : UnixWare 7.1.4, 7.1.3, 7.1.1, 7.0.1 (and maybe other versions)

Severity: Moderate

Local     : Yes

Remote  : Yes

Date      : 11 Jan. 2005

CVE ID   : CAN-2004-1039

Author   : Yun Jonglim / NileSOFT. Ltd(www.nilesoft.co.kr)

================================================================================

 

1. SUMMARY

 

The NFS mountd service for UnixWare OS is generally run by

the RC script(/etc/rc3.d/S22nfs) on the NFS server system's boot run-level 3.

 

When the NFS mountd service is run by inetd, if a NFS mount related request is

received from the remote (or local) host, inetd will repeatedly create

the mountd process and as a result increasingly consume memory.

 

 

2. VULNERABILITY DESCRIPTION

 

The UnixWare operating system provides the NFS mountd service by

RC script(/etc/rc3.d/S22nfs) by default. However, as shown below, the service

is registered in the inetd.conf configuration file so that the inetd daemon can

also provide the service.

 

    # The mount server is usually started in /etc/rc.local only on machines that

    # are NFS servers.  It can be run by inetd as well.

    #

    #mountd/1        dgram   rpc/udp wait root /usr/sbin/in.tcpd       /usr/lib/nfs/mountd

    #mountd/1        dgram   rpc/udp wait root /usr/lib/nfs/mountd   mountd

 

By default, the mountd service registered in inetd.conf is commented out

(disabled) but the service can be enabled by removing the corresponding

'#' character and restarting inetd.(like below)

 

    # The mount server is usually started in /etc/rc.local only on machines that

    # are NFS servers.  It can be run by inetd as well.

    #

    mountd/1          dgram   rpc/udp wait root /usr/sbin/in.tcpd       /usr/lib/nfs/mountd

    #mountd/1        dgram   rpc/udp wait root /usr/lib/nfs/mountd   mountd

 

Like this, when the NFS mountd service is configured to be run by inetd,

the mountd process is run when the NFS mount service related request is received

from the remote (or local) host as shown below.

 

    showmount -e <affected_ip>

 

However, inetd does not created just one instance of the mountd process for the

request but repeatedly creates the process. This would cause the use of the

system memory to increase by time.

 

The same problem occurs regardless of which line or lines the # character is

removed. This problem has been identified for UnixWare versions 7.1.4 ~ 7.0.1

and other versions may also have this problem.

 

 

3. IMPACT

 

Due to the increase of the number of mountd processes, the system's memory

would become exhausted therefore resulting in system crash down.

 

 

4. REMEDY

 

Installation of the fixed binary packages will address this vulnerability.

Packages can be downloaded from below ftp site.

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.1

 

SCO had released Security Advisory SCOSA-2005.1.

http://www.sco.com/support/security/index.html

 

 

5. DISCLOSURE TIMELINE

 

2004/10/22 Vulnerability found and analysis

2004/11/08 CVE notified and candidate number reservation request

2004/11/16 CVE candidate reserved

2004/11/16 Vender notified and initial response

2005/01/07 Vender Confirmed and patch prepared

2005/01/11 Advisory released

 

 

6. CVE INFORMATION

 

The Common Vulnerabilities and Exposures (CVE) project has assigned the

names CAN-2004-1039 to these issues. This is a candidate for inclusion

in the CVE list (http://cve.mitre.org), which standardizes names for

security problems.
    

- 漏洞信息

12866
SCO UnixWare mountd Multiple Process Creation DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

SCO UnixWare contains a flaw that may allow a remote denial of service. The issue is triggered when mountd is run by inetd which may allow an attacker to create multiple mountd processes by issuing multiple NFS related mount requests, consuming memory resources which may result in loss of availability for the system.

- 时间线

2005-01-11 Unknow
2005-01-11 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, SCO has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

SCO UnixWare NFS Mountd Denial of Service Vulnerability
Design Error 12225
Yes Yes
2005-01-11 12:00:00 2009-07-12 09:27:00
Discovery is credited to Jonglim Yun <abc@nilesoft.co.kr>.

- 受影响的程序版本

SCO Unixware 7.1.4
SCO Unixware 7.1.3
SCO Unixware 7.1.1
Avaya Intuity Audix R5 0

- 漏洞讨论

SCO UnixWare is reported prone to a denial of service vulnerability. This issue may allow an attacker to exhaust excessive resources on a vulnerable computer.

The vulnerability arises when the mountd service is registered in inetd.conf. A local or remote attacker may initiate a NFS mount service request to trigger this vulnerability.

This issue affects UnixWare 7.1.1, 7.1.3, and 7.1.4.

- 漏洞利用

An exploit is not required.

- 解决方案

The vendor has released advisory SCOSA-2005.1 with fixes to address this issue.

Avaya has released an advisory (ASA-2005-029) stating that Intuity Audix R5 is vulnerable to this issue. This vulnerability is going to be addressed in an upcoming release of Intuity Audix R5. Please see the Avaya advisory at the following location for more information:

http://support.avaya.com/japple/css/japple?temp.groupID=128450&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=215716&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=avaya.css.UsageUpdate()


SCO Unixware 7.1.1

SCO Unixware 7.1.3

SCO Unixware 7.1.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站