Sun lpd vulnerability

New (3.3.3)

Impact

A remote user could execute arbitrary code on a properly configured print server.

Background

By default, Solaris operating systems are installed with the in.lpd process running. The in.lpd process is a UNIX daemon that accepts print requests from local and remote users.

The Problem

Due to a buffer overflow in the transfer job routine, in.lpd can be exploited by a remote attacker to execute arbitrary code with root privileges on the server.

Solaris 2.6, 7, and 8 (SunOS 5.6, 5.7, and 5.8) are affected by this vulnerability.

Resolution

If print service is not needed, disable in.lpd. This can be done by finding the line in /etc/inetd.conf which begins with the word printer and inserting a pound sign (#) at the beginning of the line. Be sure to restart the inetd process afterwards.

If print service is required, the vulnerability can be fixed by applying the appropriate patch. Patches are scheduled to be released in July, 2001. If a patch is not yet available, it is recommended that access to TCP port 515 on the server be denied from the firewall or gateway router. The patches for this vulnerability are:

106235-09 SunOS 5.6: lp patch
106236-09 SunOS 5.6_x86: lp patch
107115-08 SunOS 5.7: LP patch
107116-08 SunOS 5.7_x86: LP patch
109320-04 SunOS 5.8: LP patch
109321-04 SunOS 5.8_x86: LP patch

Where can I read more about this?

Details on this vulnerability can be found in X-Force Alert 80. Also, check SunSolve for a Security Bulletin on this vulnerability.