Bob!
> The calendar manager (rpc.cmsd) on Solaris 2.5 and 2.5.1 is vulnerable
> to a buffer overflow
> attack...
> ... we have seen the
> intruder delete administrator
> logs, change homepages, and insert backdoors. The attack signature is
> similar to the tooltalk attack.
Can you confirm that compromised system(s) were equipped with CDE? Or in
other words was it /usr/dt/bin/rpc.cmsd that was assigned to do the job
in /etc/inetd.conf?
> Further, it appears that even patched versions may be
> vulnerable.
Could you be more specific here and tell exactly which patches are you
talking about?
> Also, rpc.cmsd under
> Solaris 2.6 could also be problematic.
I want to point out that there is a rather fresh 105566-07 for Solaris
2.6 which claims "4230754 Possible buffer overflows in rpc.cmsd" fixed.
There is rather old 103670-03 for Solaris 2.5[.1] which claims "1264389
rpc.cmsd security problem." fixed. Then there is 104976-03 claiming
"1265008 : Solaris 2.x rpc.cmsd vulnerabity" fixed. Are these the ones
you refer to as "patched versions" and "could be problematic"?
Andy.
