By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
The flaw also affects the widely used Kerberos authentication software that allows users to securely log on to remote systems.
The vulnerability exists in XDR libraries derived from SunRPC (remote procedure call) used in products from Sun, as well as those from Apple Computer, IBM and a number of Linux and Unix distributions, CERT/CC said.
These products include those that use the Sun network service library (libnsl), the BSD-derived XDR/RPC routines (libc) and the GNU C library with sunrpc (glibc), CERT/CC said.
The XDR Library is a method of sending processes from one system to another, usually over a network connection, without regard to platform, CERT/CC said.
The security hole comes in the xdr_array component of the XDR Library, where an integer overflow problem could lead to a buffer overflow, according to CERT/CC. Were an attacker to exploit these vulnerabilities, he or she would be able to run code of their choice on the target system, CERT/CC said.
Because of the number of systems that the XDR Library is included in, attacks can cause other problems, including denials of service and information disclosure, CERT/CC said.
Also potentially troublesome is the effect of the flaw on Kerberos, which could allow an attacker to gain access to a trusted Kerberos realm, CERT/CC said.
Affected software includes Apple's Mac OS X and Mac OS X Server, Debian Linux 3, IBM's AIX 4.3.3 and 5.1.0, the Kerberos software developed by the Massachusetts Institute of Technology and Sun's Solaris 2.5.1 through 9.
Users should contact their vendors to inquire about patch status. A more complete list of affected vendors and products, as well as their patch status, can be found at www.cert.org/advisories/CA-2002-25.html.