The CERT/CC has begun receiving reports of an input validation vulnerability in the rpc.statd program being exploited. This program is included, and often installed by default, in several popular Linux distributions. Please see the vendors section of this document for specific information regarding affected distributions.
More information about this vulnerability is available at the following public URLs:
The rpc.statd program passes user-supplied data to the syslog() function as a format string. If there is no input validation of this string, a malicious user can inject machine code to be executed with the privileges of the rpc.statd process, typically root.\t\t
By exploiting this vulnerability, local or remote users may be able to execute arbitrary code with the privileges of the rpc.statd process, typically root.
BSDI Not Affected
Caldera Not Affected
Compaq Computer Corporation Not Affected
FreeBSD Not Affected
HP Not Affected
NetBSD Not Affected
OpenBSD Not Affected
SCO Not Affected
SGI Not Affected
Sun Not Affected
This document was written by John Shaffer and Brian King.