A potentially dangerous vulnerability has been detected in SunRPC-derived XDR libraries and the CERT Coordination Center (CERT/CC) has warned that exploitation could lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.

In an advisory, CERT warned that the integer overflow xdr_array() function in Sun Microsystems' XDR library can lead to remotely exploitable buffer overflows in multiple applications.

Although the XDR library was originally distributed by Sun Microsystems, multiple vendors have included the vulnerable code in their own implementations, the center said, urging individual vendor patches be implemented to guard against remote attacks.

The bug, which was detected by Internet Security Systems (ISS), affected applications like Sun Microsystems network services library (libnsl), BSD-derived libraries with XDR/RPC routines (libc) and the GNU C library with sunrpc (glibc).

"Specific impacts reported include the ability to execute arbitrary code with root privileges (by exploiting dmispd, rpc.cmsd, or kadmind, for example). In addition, intruders who exploit the XDR overflow in MIT KRB5 kadmind may be able to gain control of a Key Distribution Center (KDC) and improperly authenticate to other services within a trusted Kerberos realm," CERT warned.

The XDR libraries provide platform-independent methods for sending data from one system process to another over a network connection. The group said the xdr_array() function in the XDR library contained an integer overflow that can lead to improperly sized dynamic memory allocation.

"Subsequent problems like buffer overflows may result, depending on how and where the vulnerable xdr_array() function is used," it added.

Research from the ISS showed the bug allowed the execution of arbitrary code with root privileges (exploiting dmispd, rpc.cmsd, or kadmind, for example). In addition, the security researchers found intruders who exploited the XDR overflow in MIT KRB5 kadmind could gain control of a Key Distribution Center (KDC) and improperly authenticate to other services within a trusted Kerberos realm.

Because the XDR libraries are used by multiple applications on most systems, CERT urged an immediate software upgrade. Users should also apply multiple patches and then recompile statically linked applications.