Solaris ‘rwall daemon’ At Risk

Officials with CERT Coordination Center warned Wednesday that it has discovered serious holes that affect some Sun Microsystems servers.

The format string vulnerability affects the rwall daemon (rpc.rwalld), in Sun Solaris 2.5.1, 2.6, 7, and 8. CERT said Hewlett-Packard servers; IBM’s AIX operating system, versions 4.3.x and 5.1L; and NetBSD are not at risk.

The rwall daemon is a utility used to listen for wall requests on the network. When a request is received, it calls wall, which sends the message to all terminals of a time-sharing system. The vulnerability may permit an intruder to execute code with the privileges of the rwall daemon.

CERT said a user identified as “GOBBLES” identified the vulnerability, which has been documented at the CERT home site, but the organization said it has not seen active scanning or exploitation of the hole.

So how bad is the hole? CERT said an intruder could consume system resources and potentially prevent wall from executing, which would trigger the rwall daemon’s error message.

“The vulnerability may be exploited both locally and remotely, although remote exploitation is significantly more difficult,” CERT issued in a statement.

Sun confirmed the problem late Wednesday, but the Palo Alto, Calif.-based networking giant said the issue relies on a combination of events, including the exhaustion of system resources, which are difficult to control by a remote user in order to be exploited. The company said it is currently generating patches for the problem and will issue a Sun Security Bulletin as soon as the patches are available. The company suggests disabling rpc.rwalld(1M) in inetd.conf as a workaround interim.

CERT said if disabling the rwall daemon is not an option, Solaris owners at risk should implement a firewall to limit access to rpc.rwalld (typically port 32777/UDP). However, the group said that solution would not mitigate all vectors of attack.