VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 7, 1999· Updated Apr 16, 2026

CVE-1999-0493

CVE-1999-0493

Description

rpc.statd in Sun Solaris forwards RPC calls via SM_MON/SM_NOTIFY, enabling remote exploitation of services like automountd.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

rpc.statd in Sun Solaris forwards RPC calls via SM_MON/SM_NOTIFY, enabling remote exploitation of services like automountd.

Vulnerability

rpc.statd improperly forwards RPC calls from remote attackers to the local operating system when processing SM_MON and SM_NOTIFY commands [1]. This allows an attacker to trigger vulnerabilities in other RPC services, such as automountd. Affected versions include Sun Solaris 2.5, 2.5.1, 2.6, and 2.7 on both SPARC and x86 architectures [1].

Exploitation

An attacker with network access to the target system's rpc.statd service sends crafted SM_MON or SM_NOTIFY packets. The service then forwards these requests to local RPC services, potentially triggering bugs in automountd [1]. No authentication is required; the attacker need only be able to reach the rpc.statd port (typically 111 over TCP/UDP) [2].

Impact

Successful exploitation can lead to remote execution of arbitrary commands on the target system. By chaining with the automountd vulnerability, an attacker can gain root privileges [1][2]. The impact is complete compromise of confidentiality, integrity, and availability.

Mitigation

Sun released patches for the affected Solaris versions; users should apply the appropriate patches as referenced in CERT advisory CA-99-05 [2]. Until patching is possible, restrict access to rpc.statd using firewall rules to block incoming connections to port 111 from untrusted networks [2].

References
  1. 'SUN almost has a clue! (automountd)'
  2. 1999 CERT Advisories | CMU Software Engineering Institute

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

9
  • Sun Corporation/Solaris4 versions
    cpe:2.3:o:sun:solaris:2.4:*:x86:*:*:*:*:*+ 3 more
    • cpe:2.3:o:sun:solaris:2.4:*:x86:*:*:*:*:*
    • cpe:2.3:o:sun:solaris:2.5.1:*:x86:*:*:*:*:*
    • cpe:2.3:o:sun:solaris:2.5:*:x86:*:*:*:*:*
    • cpe:2.3:o:sun:solaris:2.6:*:*:*:*:*:*:*
  • Sun Corporation/Sunos4 versions
    cpe:2.3:o:sun:sunos:-:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:o:sun:sunos:-:*:*:*:*:*:*:*
    • cpe:2.3:o:sun:sunos:5.3:*:*:*:*:*:*:*
    • cpe:2.3:o:sun:sunos:5.4:*:*:*:*:*:*:*
    • cpe:2.3:o:sun:sunos:5.5.1:*:*:*:*:*:*:*
  • Sun Corporation/rpc.statdllm-create

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The rpc.statd service allows remote attackers to forward RPC calls to the local operating system via the SM_MON and SM_NOTIFY commands without proper validation."

Attack vector

An attacker can send specially crafted SM_MON and SM_NOTIFY commands to the rpc.statd service. These commands instruct rpc.statd to relay arbitrary RPC calls to other services on the target system. This relaying bypasses the access controls of the target services, allowing the attacker to exploit other vulnerabilities, such as those in automountd, that they might not normally have access to [ref_id=1]. The vulnerability is present in major versions of Sun's Solaris [ref_id=1].

Affected code

The vulnerability resides within the rpc.statd service, which is part of the status monitoring service for NFS file locking. Specifically, the SM_MON and SM_NOTIFY commands are implicated in allowing the relay of RPC calls. The provided exploit code demonstrates how these commands can be used to forward malicious RPC commands [ref_id=1].

What the fix does

The advisory indicates that the bug was fixed on August 16, 1998. The provided reference write-up does not contain specific details about the patch or the code changes made to address the vulnerability. Therefore, the exact nature of the fix and why it resolves the issue cannot be determined from the available information.

Preconditions

  • networkThe attacker must have network access to the rpc.statd service.
  • configThe rpc.statd service must be running on the target system.

Reproduction

The provided reference write-up includes C source code that can be compiled and used to exploit this vulnerability. The code demonstrates how to construct and send the malicious SM_MON and SM_NOTIFY commands to trigger the RPC call relaying [ref_id=1].

Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.