HighCheck or Attack Name: rpcstatd
A remote rpc.lockd can provide false information to the rpc.statd file, allowing a file to be removed or created. Rpc statd maintains state information in cooperation with RPC lockd, to provide crash and recovery functionality for file locking across NFS. Because statd does not validate the information it receives from the remote lockd, an attacker can send a remote procedure call, resulting in the creation or removal of any file on the system.
Obtain and install the appropriate patch for your operating system, or follow the vendor's instructions. Select from the following operating systems:
Hewlett-Packard: Before installing the patch, read Security Advisory HPSBUX9607-032 "Security Vulnerability in rpc.pcnfsd & rpc.statd." This document is available after logging in by clicking the Search Technical Knowledge Base link and typing any of the patch IDs as the search string. The HP Patch Database requires a no-cost password and is located at http://us-support.external.hp.com/wpsl/bin/doc.pl/. After logging in, go to Individual Patches (Patch Database) and search for HP-UX Patches that match your vulnerable version and its corresponding patch(es).
Series 300/400 HP-UX 9.X: PHNE_7371 and PHNE_7372; Series 700/800 HP-UX 9.X: PHNE_7072; Series 700/800 HP-UX 10.X: PHNE_7073; Series 700 HP-UX 9.08 BLS: PHNE_8015; Series 700 HP-UX 9.09 BLS: PHNE_8016; Series 700 HP-UX 9.09+ BLS: PHNE_8017; Series 700 HP-UX 10.09 CMW: PHNE_8018; Series 700 HP-UX 10.09.01 CMW: PHNE_8019; Series 700 HP-UX 10.16 CMW: PHNE_8020.
IBM: AIX 3.2: APAR IX56056; AIX 4.1: APAR IX55931. IBM patches are located at http://aix.boulder.ibm.com/aix.us/aixfixes. Type the APAR number to obtain information or the patch.
Sony: NEWS-OS Patch IDs: 0124, 6063, 6176, and 6207. NEWS-OS Patches are available from ftp://ftp1.sony.co.jp/pub/patch/news-os/un-official. Note: This site may be slow in responding.
DEC (Digital Equipment Corporation): Ultrix ECO ID#: SSRT03901; OSF/1 ECO ID#: SSRT038301 at http://www.service.digital.com/html/patch_service.htm.
Sun Microsystems: SunOS 4.1.3: 100988-05; SunOS 4.1.3_U1: 101592-09; SunOS 4.1.4: 102516-06; SunOS 5.3: 102932-03; SunOS 5.4: 102769-04; SunOS 5.4x86: 102770-04; SunOS 5.5: 103468-03; SunOS 5.5x86: 103469-03. SunOS 5.6 and 5.6_x86 are not vulnerable to this problem. SunOS Patches are available at http://sunsolve.sun.com/sunsolve/pubpatches/patches.html.
Silicon Graphics: Prior to IRIX 5.3: Upgrade to IRIX 5.3 or later, or use temporary fix described in the SGI Security Advisory; IRIX 5.3: Patch 1391; IRIX 6.x: Not vulnerable. Before installing the patch, read SGI Security Advisory 19971201-01-P: "Buffer Overrun Vulnerability in statd(1M) Program" at ftp://sgigate.sgi.com/security/19971201-01-P1391. SGI Patches are available at http://www.sgi.com/Support/security/security.html. Previous versions must upgrade or use temporary fix described in the security advisory. The specific patch to fix this issue on IRIX 5.3 platforms is available from ftp://sgigate.sgi.com/patches/5.3/patch1391.tar.
CERT Advisory CA-96.09, Vulnerability in rpc.statd, http://www.cert.org/ftp/cert_advisories/CA-96.09.rpc.statd
AUSCERT Advisory AA-97.29, statd Buffer Overrun Vulnerability, ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.29.statd.overflow.vul
Silicon Graphics Inc. Security Advisory 19971201-01-P1391, Buffer Overrun Vulnerability in statd(1M) Program, ftp://sgigate.sgi.com/security/19971201-01-P1391
Hewlett-Packard Security Bulletin HPSBUX9607-032, Security Vulnerability in rpc.pcnfsd & rpc.statd, http://us-support.external.hp.com/
Sun Microsystems, Inc. Security Bulletin #00135, Vulnerability with the statd program, http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=secbull/135
