rpc.statd contains a format string vulnerability when calling the syslog() function. This vulnerability allows remote users to execute code as root. The logging code in rpc.statd uses the syslog() function to pass user-supplied data as the format string. A malicious user can construct a format string that injects executable code into the process address space and overwrites a function's return address, forcing the program to execute the code.
rpc.statd requires root privileges for opening it's network socket, but fails to drop these privileges later on. Therefore, code injected by the malicious user will execute with root privileges.
Debian, Red Hat and Connectiva have all released advisories on this matter. Presumably, any Linux distribution that runs the statd process is vulnerable, unless already patched for the problem. Vulnerability Source:QualysGuard Vulnerability Severity:Urgent Vulnerability Category:RPC Vulnerability Solution:For Red Hat Linux: Upgrade to the latest version of nfs-utils (0.1.9.1 or later), as listed in RHSA-2000:043-02.
For Debian Linux: Upgrade to the latest version of nfs-utils (0.1.9.1 or later), as listed in Debian Security Advisory 20000719a.
For other distributions: Contact your vendor for upgrade or patch information.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
RHSA-2000:043-03: Red Hat Linux 6.2 Vulnerability Consequence:If successfully exploited, unauthorized users can execute remote commands as root. CVE Information:CVE-2000-0666,CVE-2000-0800 CVSS Information:10,8.3