Software Engineering Institute

After creating a local file on the system, an attacker can exploit a stack overflow in cachefsd to execute arbitrary code with the privileges of the cachefsd process, typically root. Sun Microsystems has released a Sun Alert Notification that addresses this issue as well as the issue described in VU#635811.

The Australian Computer Emergency Response Team has also issued an advisory related to incident activity exploiting cachefsd:

http://www.auscert.org.au/Information/Advisories/advisory/AA-2002.01.txt

http://www.eSecurityOnline.com/advisories/eSO4198.asp

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0084

An attacker can execute code with the privileges of the cachefsd process, typically root.

The CERT/CC is currently unaware of patches for this problem.

According to the Sun Alert Notification a workaround is as follows:

Comment out cachefsd in /etc/inetd.conf as shown below:

#100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd

Once the line is commented out either:

- reboot, or
- send a HUP signal to inetd(1M) and kill existing cachefsd processes, for example,
on Solaris 2.5.1 and 2.6 do the following:
$ kill -HUP <PID of inetd>
$ kill <PIDs of any cachefsd processes>

Solaris 7 and 8 do the following:
$ pkill -HUP inetd
$ pkill cachefsd

The possible side effects of the workaround are:

- for systems not using cachefs:

There is no impact.

- for systems using cachefs:

Only a "disconnected" operation is known to be affected by
disabling cachefsd. This feature is rarely used outside of AutoClient.

Mounts and unmounts should still succeed though an error message
may be seen, "mount -F cachefs: cachefsd is not running".

There is no performance impact.

- for systems using AutoClient:

The impact is unknown. Again, only "disconnected" mode is likely
to be affected.