CVE-1999-0019 is a medium-severity vulnerability affecting the rpc.statd service on Data General's DG/UX operating system across multiple versions (including 2, 3, 4.x, 5.x, and 6.1). The vulnerability arises from rpc.statd improperly handling invalid information, which allows an unauthenticated remote attacker to delete or create arbitrary files on the affected system. The rpc.statd service is part of the Network File System (NFS) locking mechanism, which manages file locks over the network. Due to insufficient validation of input data, an attacker can exploit this flaw to manipulate the file system by creating or deleting files without authentication or user interaction. The CVSS v2 score of 5.0 reflects a network attack vector with low complexity, no authentication required, no confidentiality impact, but partial integrity impact and no availability impact. No patches are available for this vulnerability, and there are no known exploits in the wild. Given the age of the vulnerability (published in 1996) and the specific affected product (DG/UX), this issue is primarily relevant to legacy systems still running this OS and using rpc.statd for NFS locking.

For European organizations, the impact of this vulnerability is largely dependent on whether legacy DG/UX systems are still in operation within their infrastructure. If such systems are in use, an attacker could remotely manipulate files on these systems without authentication, potentially leading to unauthorized modification or deletion of critical files. This could disrupt business operations, compromise data integrity, and potentially serve as a foothold for further attacks. However, given the obsolescence of DG/UX and the lack of known exploits, the practical risk is low for most organizations. Nonetheless, organizations in sectors with legacy industrial control systems, research institutions, or government agencies that might still operate DG/UX systems should be aware of this risk. The vulnerability does not impact confidentiality or availability directly but poses a moderate risk to data integrity.

Since no official patches are available, organizations should consider the following mitigations: 1) Isolate any DG/UX systems running rpc.statd from untrusted networks, especially the internet, using network segmentation and firewalls to restrict access to the rpc.statd service. 2) Disable the rpc.statd service if NFS locking is not required or if alternative mechanisms are available. 3) Monitor network traffic for unusual rpc.statd activity that could indicate exploitation attempts. 4) Implement strict access controls and logging on affected systems to detect unauthorized file modifications. 5) Where possible, plan for migration away from DG/UX to modern, supported operating systems that receive security updates. 6) Conduct regular security audits of legacy systems to identify and mitigate risks associated with outdated software components.