• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: SERCD, SREDIRD Buffer Overflow Vulnerability

Severity: CRITICAL

Description:

SERCD is the Serial Communications Daemon. It is used to allow connections to serial ports via TCP connections. SERCD is a derivitive of SREDIRD.

It is reported that SERCD contains a buffer overflow vulnerability. This issue is due to a failure of the application to properly perform bounds checks on user-supplied input before copying it to a buffer of finite size.

This vulnerability presents itself in SERCD in the 'HandleCPCCommand' function contained in the 'sercd.c' file. This function is used to process commands received from a client. The contents of a received signature is copied using strncpy() with an invalid size argument, and also copied using sprintf() without any boundary checks. These flaws allow an attacker to overwrite critical regions in memory, allowing for arbitrary remote code execution.

The same functions in the SREDIRD package, in the 'sredird.c' file are susceptible to the same exact vulnerability.

Successful exploitation of this issue will allow an attacker to execute arbitrary code on the affected computer with the privileges of the affected package. These processes are commonly run as the superuser in order to access the serial port.

Versions of SERCD prior to 2.3.1, and all known versions of SREDIRD are reported susceptible to this vulnerability.

BID 11002 was split into this BID and BID 11031.

Affected Products:

• Denis Sbragion sredird 1.0.0
• Denis Sbragion sredird 1.1.6
• Denis Sbragion sredird 1.1.7
• Denis Sbragion sredird 1.1.8
• Denis Sbragion sredird 2.0.0
• Denis Sbragion sredird 2.1.0
• Denis Sbragion sredird 2.2.0
• Denis Sbragion sredird 2.2.1
• Peter Ã…strand SERCD 2.3.0.0

References:

• Denis Sbragion: sredird Homepage
• Peter Ã…strand: CVS Log for sercd.c revision 1.9
• Peter Ã…strand: SERCD Home Page
• SecurityTracker: sredird LogMsg() Format String Bug and HandleCPCCommand() Buffer Overflow May Le

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.