2009-3699 | IBM AIX rpc.cmsd memory corruption (BID-36615 / XFDB-53681)

CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score
10.0 $0-$5k 0.00

A vulnerability classified as very critical was found in IBM AIX (Operating System). Affected by this vulnerability is some unknown processing of the file rpc.cmsd. The manipulation of the argument first with an unknown input leads to a memory corruption vulnerability. The CWE definition for the vulnerability is CWE-119. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

Stack-based buffer overflow in libcsa.a (aka the calendar daemon library) in IBM AIX 5.x through 5.3.10 and 6.x through 6.1.3, and VIOS 2.1 and earlier, allows remote attackers to execute arbitrary code via a long XDR string in the first argument to procedure 21 of rpc.cmsd.

The issue has been introduced in 05/04/2001. The weakness was published 10/07/2009 by Rodrigo Rubira Branco (iDefense) with iDEFENSE Labs (Website). It is possible to read the advisory at vupen.com. This vulnerability is known as CVE-2009-3699 since 10/14/2009. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn’t need any form of authentication. Technical details and also a public exploit are known. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 08/24/2021). It is expected to see the exploit prices for this product decreasing in the near future.

A public exploit has been developed in ANSI C and been published 5 months after the advisory. It is declared as highly functional. It is possible to download the exploit at securityfocus.com. The vulnerability was handled as a non-public zero-day exploit for at least 3078 days. During that time the estimated underground price was around $25k-$100k. The vulnerability scanner Nessus provides a plugin with the ID 64350 (AIX 6.1 TL 1 : cmsd (IZ62570)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family AIX Local Security Checks.

A possible mitigation has been published immediately after the disclosure of the vulnerability. Attack attempts may be identified with Snort ID 1907. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 9753.

The vulnerability is also documented in the databases at X-Force (53681), Vulnerability Center (SBV-23643) and Tenable (64350).




VulDB Meta Base Score: 10.0
VulDB Meta Temp Score: 10.0

VulDB Base Score: 10.0
VulDB Temp Score: 10.0
VulDB Vector: 🔍
VulDB Reliability: 🔍

🔍 🔍 🔍 🔍 🔍 🔍
🔍 🔍 🔍 🔍 🔍 🔍
🔍 🔍 🔍 🔍 🔍 🔍
Vector Complexity Authentication Confidentiality Integrity Availability
unlock unlock unlock unlock unlock unlock
unlock unlock unlock unlock unlock unlock
unlock unlock unlock unlock unlock unlock

VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍

NVD Base Score: 🔍

Class: Memory corruption
CWE: CWE-119
ATT&CK: Unknown

Local: No
Remote: Yes

Availability: 🔍
Access: Public
Status: Highly functional
Programming Language: 🔍
Download: 🔍

Price Prediction: 🔍
Current Price Estimation: 🔍

0-Day unlock unlock unlock unlock
Today unlock unlock unlock unlock

Nessus ID: 64350
Nessus Name: AIX 6.1 TL 1 : cmsd (IZ62570)
Nessus File: 🔍
Nessus Family: 🔍
Nessus Port: 🔍

MetaSploit ID: rpc_cmsd_opcode21.rb
MetaSploit Name: AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow
MetaSploit File: 🔍

Threat Intelligenceinfoedit

Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍Recommended: no mitigation known
Status: 🔍

Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Exploit Delay Time: 🔍
Snort ID: 1907
Snort Message: PROTOCOL-RPC CMSD UDP CMSD_CREATE buffer overflow attempt
Snort Class: 🔍
TippingPoint: 🔍
SourceFire IPS: 🔍
PaloAlto IPS: 🔍
Fortigate IPS: 🔍

05/04/2001 🔍
10/07/2009 +3078 days 🔍
10/07/2009 +0 days 🔍
10/07/2009 +0 days 🔍
10/07/2009 +0 days 🔍
10/08/2009 +1 days 🔍
10/10/2009 +2 days 🔍
10/14/2009 +3 days 🔍
10/15/2009 +1 days 🔍
01/28/2010 +105 days 🔍
01/30/2013 +1098 days 🔍
03/18/2015 +777 days 🔍
08/24/2021 +2350 days 🔍Vendor: https://www.ibm.com/

Advisory: vupen.com
Researcher: Rodrigo Rubira Branco (iDefense)
Organization: iDEFENSE Labs
Status: Not defined
Confirmation: 🔍

CVE: CVE-2009-3699 (🔍)
X-Force: 53681
Vulnerability Center: 23643 – IBM AIX x27rpc.cmsdx27 Calendar Daemon Remote Arbitrary Code Execution and DoS Vulnerability, High
SecurityFocus: 36615 – IBM AIX ‘rpc.cmsd’ Calendar Daemon Remote Stack Buffer Overflow Vulnerability
OSVDB: 58726 – IBM AIX libcsa.a Calendar Manager Service Daemon (rpc.cmsd) Remote Procedure 21 Overflow

scip Labs: https://www.scip.ch/en/?labs.20161013

Created: 03/18/2015 15:15
Updated: 08/24/2021 00:45
Changes: (3) source_cve_assigned advisory_confirm_url vulnerability_cvss2_nvd_basescore
Complete: 🔍

Download it now for free!

Source link