Vulnerability Name:

CVE-2009-3699 (CCN-53681)

Assigned:2009-10-07
Published:2009-10-07
Updated:2017-08-17
Summary:Stack-based buffer overflow in libcsa.a (aka the calendar daemon library) in IBM AIX 5.x through 5.3.10 and 6.x through 6.1.3, and VIOS 2.1 and earlier, allows remote attackers to execute arbitrary code via a long XDR string in the first argument to procedure 21 of rpc.cmsd.
CVSS v3 Severity:10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
8.3 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
8.3 High (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-119
Vulnerability Consequences:Gain Access
References:Source: CCN
Type: IBM SECURITY ADVISORY
AIX rpc.cmsd remote buffer overflow vulnerability

Source: CONFIRM
Type: Vendor Advisory
http://aix.software.ibm.com/aix/efixes/security/cmsd_advisory.asc

Source: MITRE
Type: CNA
CVE-2009-3699

Source: IDEFENSE
Type: Patch
20091007 IBM AIX rpc.cmsd Stack Buffer Overflow Vulnerability

Source: CCN
Type: SA36978
IBM AIX rpc.cmsd Buffer Overflow Vulnerability

Source: SECUNIA
Type: Vendor Advisory
36978

Source: CCN
Type: SECTRACK ID: 1022996
IBM AIX Buffer Overflow in 'rpc.cmsd' Lets Remote Users Obtain Root Privileges

Source: SECTRACK
Type: UNKNOWN
1022996

Source: AIXAPAR
Type: UNKNOWN
IZ61628

Source: AIXAPAR
Type: UNKNOWN
IZ61717

Source: AIXAPAR
Type: UNKNOWN
IZ62123

Source: AIXAPAR
Type: UNKNOWN
IZ62237

Source: AIXAPAR
Type: UNKNOWN
IZ62569

Source: AIXAPAR
Type: UNKNOWN
IZ62570

Source: AIXAPAR
Type: UNKNOWN
IZ62571

Source: AIXAPAR
Type: Vendor Advisory
IZ62572

Source: AIXAPAR
Type: UNKNOWN
IZ62672

Source: OSVDB
Type: UNKNOWN
58726

Source: CCN
Type: OSVDB ID: 58726
IBM AIX libcsa.a Calendar Manager Service Daemon (rpc.cmsd) Remote Procedure 21 Overflow

Source: BID
Type: Exploit, Patch
36615

Source: CCN
Type: BID-36615
IBM AIX 'rpc.cmsd' Calendar Daemon Remote Stack Buffer Overflow Vulnerability

Source: VUPEN
Type: Patch, Vendor Advisory
ADV-2009-2846

Source: XF
Type: UNKNOWN
ibm-aix-rpccmsd-bo(53681)

Source: XF
Type: UNKNOWN
ibm-aix-rpccmsd-bo(53681)

Source: CCN
Type: iDefense PUBLIC ADVISORY: 10.07.09
IBM AIX rpc.cmsd Stack Buffer Overflow Vulnerability

Source: MISC
Type: UNKNOWN
https://www.immunityinc.com/downloads/immpartners/aixcmsd10092009.tar.gz

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:vios:1.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:vios:1.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:vios:1.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:vios:1.5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:vios:*:*:*:*:*:*:*:* (Version <= 2.1.0)
  • OR cpe:/o:ibm:aix:5:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:5.1:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:5.1.0.10:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:5.1l:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:5.2:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:5.2.0:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:5.2.0.50:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:5.2.0.54:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:5.2.2:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:5.2_l:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:5.3:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:5.3:sp6:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:5.3.0:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:5.3.0.20:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:5.3.7:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:5.3.8:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:5.3.9:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:5.3.10:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:5.3_l:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:5.3_ml03:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:5l:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:6.1:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:6.1.0:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:6.1.1:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:6.1.2:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:6.1.3:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:ibm:aix:6.1:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:5.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    ibm vios 1.4
    ibm vios 1.5.0
    ibm vios 1.5.1
    ibm vios 1.5.2
    ibm vios *
    ibm aix 5
    ibm aix 5.1
    ibm aix 5.1.0.10
    ibm aix 5.1l
    ibm aix 5.2
    ibm aix 5.2.0
    ibm aix 5.2.0.50
    ibm aix 5.2.0.54
    ibm aix 5.2.2
    ibm aix 5.2_l
    ibm aix 5.3
    ibm aix 5.3 sp6
    ibm aix 5.3.0
    ibm aix 5.3.0.20
    ibm aix 5.3.7
    ibm aix 5.3.8
    ibm aix 5.3.9
    ibm aix 5.3.10
    ibm aix 5.3_l
    ibm aix 5.3_ml03
    ibm aix 5l
    ibm aix 6.1
    ibm aix 6.1.0
    ibm aix 6.1.1
    ibm aix 6.1.2
    ibm aix 6.1.3
    ibm aix 6.1
    ibm aix 5.3