SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   Nfs Vendors:   Apple
(Apple Issues Fix) Network File System (NFS) Flaw in Processing Zero-Length RPC Messages Allows Remote Users to Crash the System
SecurityTracker Alert ID:  1008230
SecurityTracker URL:  http://securitytracker.com/id/1008230
CVE Reference:   CVE-2002-0830   (Links to External Site)
Date:  Nov 18 2003
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A denial of service vulnerability was reported in the Network File System (NFS) code. A remote user could cause the NFS server to crash.

It is reported that the NFS code that processes incoming remote procedure call (RPC) messages contains a flaw. A remote user can send an RPC message with a zero-length payload to cause the NFS server to reference the payload from the previous message, creating a loop in the message chain. The resulting infinite loop could cause the NFS process or the entire server to crash.

[Editor's note: This was reported by FreeBSD in August 2002.]

Impact:   A remote user can cause the NFS server to crash.
Solution:   Apple has released a fix as part of Mac OS X 10.3 Panther.
Vendor URL:  www.apple.com/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:  UNIX (macOS/OS X)
Underlying OS Comments:  prior to 10.3

Message History:   This archive entry is a follow-up to the message listed below.
Sep 17 2002 Network File System (NFS) Flaw in Processing Zero-Length RPC Messages Allows Remote Users to Crash the System



 Source Message Contents

Subject:  APPLE-SA-2003-10-28 Mac OS X 10.3 Panther


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2003-10-28 Mac OS X 10.3 Panther

Mac OS X 10.3 Panther has been released, and it contains the following
security enhancements:

Finder: Fixes CAN-2003-0876 where folder permissions may not be
   preserved when copying a folder from a mounted volume such as a
   disk image.  Credit to Dave G. from @stake, Inc. for finding this
   issue.

Kernel: Fixes CAN-2003-0877 where if a system is running with core
   files enabled, a user with interactive shell access can overwrite
   arbitrary files, and read core files created by root-owned
   processes.  This may result in sensitive information such as
   authentication credentials being compromised. Core file creation is
   disabled by default on Mac OS X. Credit to Dave G. from @stake,
   Inc. for finding this issue.

slpd:  Fixes CAN-2003-0878 when Personal File Sharing is enabled, the
   slpd daemon may create a root-owned file in the /tmp directory.
   This could overwrite an existing file and allow a user to gain
   elevated privileges. Personal File Sharing is off by default in Mac
   OS X.  Credit to Dave G. from @stake, Inc. for finding this issue.

Kernel: Fixes CAN-2003-0895 where it may be possible for a local user
   to cause the Mac OS X kernel to crash by specifying a long command
   line argument. The machine will reboot on its own after several
   minutes. Credit to Dave G. from @stake, Inc. for finding this
   issue.

ktrace: Fixes CVE-2002-0701 a theoretical exploit when ktrace is
   enabled through the KTRACE kernel option, a local user might be
   able to obtain sensitive information.  No specific utility is
   currently known to be vulnerable to this particular problem.

nfs: Fixes CVE-2002-0830 for the Network File System where a remote
   user may be able to send RPC messages that cause the system to lock
   up.

zlib: Addresses CAN-2003-0107. While there were no functions in Mac OS
   X that used the vulnerable gzprintf() function, the underlying
   issue in zlib has been fixed.

gm4: Fixes CAN-2001-1411 a format string vulnerability in the gm4
   utility. No setuid root programs relied on gm4 and this fix is a
   preventative measure against a possible future exploit.

OpenSSH: Fixes CAN-2003-0386 where "from=" and "user@hosts"
   restrictions are potentially spoofable via reverse DNS for
   numerically specified IP addresses. Mac OS X 10.3 also incorporates
   prior fixes released for OpenSSH, and the version of OpenSSH as
   obtained via the "ssh -V" command is:
   OpenSSH_3.6.1p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL
   0x0090702f

nidump:  Fixes CAN-2001-1412 where the nidump utility provides access
   to the crypted passwords used to authenticate logins.

System Preferences:  Fixes CAN-2003-0883 where after authenticating
   with an administrator password, the system will continue to allow
   access to secure Preference Panes for a short period of time.  This
   could allow a local user to access Preference Panes that they would
   not normally be able to use.  In Mac OS X 10.3 Security
   preferences, there is now a choice to "Require password to unlock
   each secure system preference". Credit to Anthony Holder for
   reporting this issue.

TCP timestamp: Fixes CAN-2003-0882 where the TCP timestamp is
   initialized with a constant number. This could allow a person to
   discover how long the system has been up based upon the ID in TCP
   packets.  In Mac OS X 10.3, the TCP timestamp is now initialized
   with a random number. Credit to Aaron Linville for reporting this
   issue and submitting a fix via the Darwin open source program.

Mail:  Fixes CAN-2003-0881 in the Mac OS X Mail application, if an
   account is configured to use MD5 Challenge Response, it will
   attempt to login using CRAM-MD5 but will silently fall back to
   plain-text if the hashed login fails. Credit to Chris Adams for
   reporting this issue.

Dock: Fixes CAN-2003-0880 when Full Keyboard Access is turned on via
   the Keyboard pane in System Preferences, Dock functions can be
   accessed blindly from behind Screen Effects.
   
Other security features:  Mac OS X 10.3 contains a number of other
   security features which may be found at:
   http://www.apple.com/macosx/features/security/
    
================================================

Further information on Mac OS X 10.3 may be obtained from:
http://www.apple.com/macosx/
    
This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQEVAwUBP56rFXeI0z6bzFr0AQIvKAgAg781rk+PU4rGZAo4/5z6OCD6f8cdy7ra
cyP9Ojg8u58g4UisHF4cF9gvVq99TT5WXhMEHZHE+/TFetUj08xyY6q5FJa9VtNg
YcO66fwHGKjB7AlXJmux/nwV0r2x8hqyx2Q0PHCgPMo9MWtO3/tUM6Gpc8kA/JeH
Rd0Csw3ejm4zBIP/t5C5QY/20KZJ9i5S48Nw6neLmJf/mBAfjvMkZM1R+pPN/58A
BwSiuILg8qxE2kf4roMJUTSOf8ToFGTD8X5sp/p15YBzjvknVV5ls7XHCwlkz+iF
W04E3CFbeX9ixTtrHPzStPKAtiRwai1oqx0LRd2mApnYTvbl9lMCOw==
=PJi8
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | security-announce@lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC