search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Multiple Open Software Foundation Distributed Computing Environment (DCE) implementations vulnerable to DoS

Vulnerability Note VU#377804

Original Release Date: 2003-08-08 | Last Revised: 2003-08-18

Overview

A denial-of-service vulnerability exists in multiple vendor implementations of the Distributed Computing Environment. This vulnerability may allow a remote attacker to cause the service to fail. Note that this vulnerability may be triggered by attackers attempting to exploit VU#568148 and VU#326746.

Description

The Open Group describes the Distributed Computing Environment (DCE) as an "industry-standard, vendor-neutral set of distributed computing technologies." They go on to describe DCE as follows:

DCE provides a complete Distributed Computing Environment infrastructure. It provides security services to protect and control access to data, name services that make it easy to find distributed resources, and a highly scalable model for organizing widely scattered users, services, and data. DCE runs on all major computing platforms and is designed to support distributed applications in heterogeneous hardware and software environments.
A vulnerability has been discovered in DCE which may allow a remote attacker to cause the DCE service to either hang or terminate, which will effectively make it impossible for DCE clients to communicate with the DCE server.

Impact

A remote attacker may be able to cause the DCE service to either hang or terminate, which will effectively make it impossible for DCE clients to communicate with the DCE server.

Solution

Apply a patch.

Vendor Information

377804
 

Cray Inc. Affected

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Affected

Vendor Statement

Cray Inc. is vulnerable on their Unicos systems. Spr 726429 has been opened to track this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Entegrity Solutions Corp Affected

Updated:  August 07, 2003

Status

Affected

Vendor Statement

http://support.entegrity.com/private/patches/dce/rpcattacks.shtml

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company Affected

Notified:  August 05, 2003 Updated: August 18, 2003

Status

Affected

Vendor Statement

Source:
Hewlett-Packard Company
Software Security Response Team
cross reference id: SSRT3608

HP-UX         - potentially vulnerable (details below)
HP-MPE/ix     - under investigation
HP Tru64 UNIX - potentially vulnerable.  Please refer to the

Entegrity Solutions Corp. vendor statement in this
vulnerability note for details.

HP OpenVMS    - potentially vulnerable. Please contact HP Services
for information.

HP NonStop Servers - under investigation

To report potential security vulnerabilities in HP software,
send an E-mail message to:
mailto:security-alert@hp.com

HP-UX B.11.00 and B.10.20 are potentially vulnerable.

HP-UX B.11.00
-------------
Install PHSS_17810 or subsequent. As of December 10, 2002 the
latest patch containing the fix is PHSS_27962.

HP-UX B.10.20
-------------
Install PHSS_19739 or subsequent.

The problem is not present in HP-UX B.11.11 and subsequent.

More details are available in the HP security bulletin
HPSBUX0308-273.

Using your itrc account security bulletins can be found here:

<http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Affected

Notified:  August 05, 2003 Updated: August 08, 2003

Status

Affected

Vendor Statement

IBM DCE for Windows, AIX and Solaris are vulnerable to the issues discussed in CERT Vulnerability Note VU#377804.

Interim Fixes are available for the following versions of IBM DCE:

DCE 3.1 for AIX
DCE 3.2 for AIX
DCE 3.1 for Solaris
DCE 3.2 for Solaris
DCE 2.2 for Windows

These Interim Fixes can be downloaded from:
http://www-3.ibm.com/software/network/dce/support/flash/portscanner_vulnerability.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer Inc. Not Affected

Notified:  August 05, 2003 Updated: August 07, 2003

Status

Not Affected

Vendor Statement

Distributed Computing Environment is not shipped with Mac OS X or Mac OS X Server.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F5 Networks Not Affected

Notified:  August 05, 2003 Updated: August 08, 2003

Status

Not Affected

Vendor Statement

F5 products are not susceptible to this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Foundry Networks Inc. Not Affected

Updated:  August 06, 2003

Status

Not Affected

Vendor Statement

Foundry Networks does not ship any products that rely on Microsoft's DCE technology.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks Not Affected

Notified:  August 05, 2003 Updated: August 08, 2003

Status

Not Affected

Vendor Statement

Ingrian Networks products are not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks Not Affected

Notified:  August 05, 2003 Updated: August 08, 2003

Status

Not Affected

Vendor Statement

Juniper products are not susceptible to the vulnerabilities in VU#377804.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lotus Software Not Affected

Notified:  August 05, 2003 Updated: August 11, 2003

Status

Not Affected

Vendor Statement

Lotus does not ship OSF DCE in any products, therefore, they are not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation Not Affected

Notified:  August 05, 2003 Updated: August 07, 2003

Status

Not Affected

Vendor Statement

Microsoft has conducted a thorough investigation based on this report. Microsoft products are not affected by this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD Not Affected

Notified:  August 05, 2003 Updated: August 08, 2003

Status

Not Affected

Vendor Statement

NetBSD does not ship a DCE-based RPC mechanism.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux Not Affected

Notified:  August 05, 2003 Updated: August 13, 2003

Status

Not Affected

Vendor Statement

We don't ship DCE.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc. Not Affected

Notified:  August 05, 2003 Updated: August 14, 2003

Status

Not Affected

Vendor Statement

Sun's RPC implementations are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

3Com Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

AT&T Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Alcatel Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Avaya Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BSDI Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems Inc. Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Computer Associates Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

D-Link Systems Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Engarde Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Extreme Networks Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hitachi Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intel Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lachman Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lucent Technologies Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Multi-Tech Systems Inc. Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Netscreen Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Network Appliance Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nokia Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nortel Networks Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Oracle Corporation Unknown

Updated:  August 07, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc. Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Redback Networks Inc. Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Riverstone Networks Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc. Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems Inc. Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wirex Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Xerox Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ZyXEL Unknown

Notified:  August 05, 2003 Updated: August 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 56 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This document was written by Ian A Finlay.

Other Information

CVE IDs: None
Severity Metric: 22.78
Date Public: 2003-08-07
Date First Published: 2003-08-08
Date Last Updated: 2003-08-18 14:12 UTC
Document Revision: 18

Sponsored by CISA.