vecchie e nuove per IRIX
ho raccolto in questo avviso un po' di alert per piattaforme IRIX.
nell'ordine:
1) buffer overflow in Mail(1)/mailx(1) (compromissione di root)
2) at(1) consente di leggere qualsiasi file sul sistema
3) buffer overflow in xterm(1) (compromissione di root)
4) buffer overflow nelle librerie Xaw (compromissione di root)
5) routed(1M)
6) RPC Tooltalk (compromissione di root)
7) sovrascrittura di qualsiasi file attraverso osview
8) vulnerabilita' di autofsd (compromissione di root)
9) vulnerabilita' di fcagent
-----------------------------------------------
______________________________________________________________________________
Silicon Graphics Inc. Security Advisory
Title: IRIX Mail(1)/mailx(1) Security Issues
Number: 19980605-01-PX
Date: September 29, 1998
______________________________________________________________________________
Silicon Graphics provides this information freely to the SGI user
community
for its consideration, interpretation, implementation and use. Silicon
Graphics recommends that this information be acted upon as soon as
possible.
Silicon Graphics provides the information in this Security Advisory on
an "AS-IS" basis only, and disclaims all warranties with respect thereto,
express, implied or otherwise, including, without limitation, any warranty
of merchantability or fitness for a particular purpose. In no event shall
Silicon Graphics be liable for any loss of profits, loss of business, loss
of data or for any indirect, special, exemplary, incidental or
consequential
damages of any kind arising from your use of, failure to use or improper
use of any of the instructions or information in this Security Advisory.
______________________________________________________________________________
- -------------------------
- ----- Issue Specifics ---
- -------------------------
The Mail(1), also know as mail_bsd, and mailx(1) programs are used to send
and
receive mail.
A buffer overrun was discovered in mailx(1) program that will allow an
intruder
to manipulate any file that is owned by the mail group.
A security vulnerability was discovered in the Mail(1) program which can
lead
to a root compromise.
Silicon Graphics Inc. has investigated the issue and recommends the
following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED
that these measures be implemented on ALL vulnerable SGI systems. This
issue will be corrected in future releases of IRIX.
- ----------------
- ----- Impact ---
- ----------------
The Mail(1)/mailx(1) program are installed by default on IRIX.
A user account on the vulnerable system is required in order to exploit
Mail(1)/mailx(1) locally and remotely.
The mailx(1) exploit can lead to mail group privileges.
The Mail(1) exploit can lead to root compromise of the system.
These vulnerabilities have been publicly discussed in Usenet newsgroups
and mailing lists.
- ----------------------------
- ----- Temporary Solution ---
- ----------------------------
Although patches are available for this issue, it is realized that
there may be situations where installing the patches immediately may
not be possible.
The steps below can be used to remove the vulnerability by removing
the permissions of the Mail(1)/mailx(1) program.
1) Become the root user on the system.
% /bin/su -
Password:
#
2) Remove the permissions on the vulnerable programs.
# /bin/chmod 555 /usr/sbin/mailx
# /bin/chmod 500 /usr/sbin/Mail
************
*** NOTE ***
************
Removing group and other permissions from /usr/sbin/Mail
will prevent non-root users from accessing the Mail(1)
program.
4) Verify the new permissions on the program.
Note that the program size may be different depending on release.
# ls -al /usr/sbin/mailx /usr/sbin/Mail
-r-xr-xr-x 1 root mail 171204 May 22 16:29
/usr/sbin/mailx
-r-x------ 1 root mail 165864 Feb 12 1996
/usr/sbin/Mail
5) Return to previous user level.
# exit
%
- ------------------
- ----- Solution ---
- ------------------
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x yes not avail Note 1, 2 & 3
IRIX 4.x yes not avail Note 1, 2 & 3
IRIX 5.0.x yes not avail Note 1, 2 & 3
IRIX 5.1.x yes not avail Note 1, 2 & 3
IRIX 5.2 yes not avail Note 1, 2 & 3
IRIX 5.3 yes 3347
IRIX 6.0.x yes not avail Note 1, 2 & 3
IRIX 6.1 yes not avail Note 1, 2 & 3
IRIX 6.2 yes 3348
IRIX 6.3 yes 3394
IRIX 6.4 yes 3394
IRIX 6.5 yes not avail Note 4
IRIX 6.5.1m yes 3393 Note 5
NOTES
1) Upgrade to currently supported IRIX operating system.
2) See "Temporary Solution" section for a workaround.
3) Unsupported by SGI, "freeware" sendmail distributions can be found
at
http://www.sendmail.org/
4) For IRIX 6.5, you must first install IRIX 6.5.1 Maintenance
Release
and then install patch 3393. If you have not received an IRIX
6.5.1m CD for IRIX 6.5, contact your SGI Support Provider
or download the Maintenance Release from http://support.sgi.com/
5) Patchsets have been replaced with quarterly Maintenance Releases
Streams starting with IRIX 6.5. Information about Maintenance
Release
Streams can be found in the IRIX 6.5 Technical Brief at:
http://www.sgi.com/software/irix6.5/
Patches are available via anonymous FTP and your service/support provider.
The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its
mirror, ftp.sgi.com. Security information and patches can be found
in the ~ftp/security and ~ftp/patches directories, respectively.
##### Patch File Checksums ####
The actual patch will be a tar file containing the following files:
Filename: README.patch.3347
Algorithm #1 (sum -r): 61881 11 README.patch.3347
Algorithm #2 (sum): 20212 11 README.patch.3347
MD5 checksum: EC4353F140F0926BA1EAC5E8F6A47827
Filename: patchSG0003347
Algorithm #1 (sum -r): 61339 4 patchSG0003347
Algorithm #2 (sum): 55594 4 patchSG0003347
MD5 checksum: FD956A1D65BD01717D95AF59CFDE9F72
Filename: patchSG0003347.eoe1_man
Algorithm #1 (sum -r): 11384 69 patchSG0003347.eoe1_man
Algorithm #2 (sum): 23294 69 patchSG0003347.eoe1_man
MD5 checksum: E3201B231A10E89FF1376D1BA9DFBB65
Filename: patchSG0003347.eoe1_sw
Algorithm #1 (sum -r): 27750 850 patchSG0003347.eoe1_sw
Algorithm #2 (sum): 3662 850 patchSG0003347.eoe1_sw
MD5 checksum: DDE33397D29F3CC17593FB68C98093F0
Filename: patchSG0003347.idb
Algorithm #1 (sum -r): 54110 7 patchSG0003347.idb
Algorithm #2 (sum): 20457 7 patchSG0003347.idb
MD5 checksum: 7F63FB32C0D3392909556D833ACF00A2
Filename: README.patch.3348
Algorithm #1 (sum -r): 02655 10 README.patch.3348
Algorithm #2 (sum): 52305 10 README.patch.3348
MD5 checksum: 6579FF9DBF69D8449FA41E62FA002D14
Filename: patchSG0003348
Algorithm #1 (sum -r): 25807 4 patchSG0003348
Algorithm #2 (sum): 47261 4 patchSG0003348
MD5 checksum: 12EED5A4099C1E63AFBE1C439339C71F
Filename: patchSG0003348.eoe_man
Algorithm #1 (sum -r): 01364 69 patchSG0003348.eoe_man
Algorithm #2 (sum): 23234 69 patchSG0003348.eoe_man
MD5 checksum: AA90D2858E7D2BBD02A2FDE25685B1A2
Filename: patchSG0003348.eoe_sw
Algorithm #1 (sum -r): 42080 910 patchSG0003348.eoe_sw
Algorithm #2 (sum): 36251 910 patchSG0003348.eoe_sw
MD5 checksum: DA8B126611F0D4C0B28E676919BB3D66
Filename: patchSG0003348.idb
Algorithm #1 (sum -r): 43633 7 patchSG0003348.idb
Algorithm #2 (sum): 20449 7 patchSG0003348.idb
MD5 checksum: 8F447F20F2828C12EC6CBF7E53686EF7
Filename: README.patch.3393
Algorithm #1 (sum -r): 16419 8 README.patch.3393
Algorithm #2 (sum): 46041 8 README.patch.3393
MD5 checksum: CF5A08C1EACC7B8242E7BC05C914C6EC
Filename: patchSG0003393
Algorithm #1 (sum -r): 29657 3 patchSG0003393
Algorithm #2 (sum): 15111 3 patchSG0003393
MD5 checksum: 4B3CAFD8ED102F154DECCCAADF4760E0
Filename: patchSG0003393.eoe_man
Algorithm #1 (sum -r): 26033 69 patchSG0003393.eoe_man
Algorithm #2 (sum): 23233 69 patchSG0003393.eoe_man
MD5 checksum: F03552977EA408EACB85B0772F3D3EC2
Filename: patchSG0003393.eoe_sw
Algorithm #1 (sum -r): 11507 1160 patchSG0003393.eoe_sw
Algorithm #2 (sum): 54353 1160 patchSG0003393.eoe_sw
MD5 checksum: 523494C66C94EA50E6C3D60E56B04E75
Filename: patchSG0003393.idb
Algorithm #1 (sum -r): 01437 8 patchSG0003393.idb
Algorithm #2 (sum): 38192 8 patchSG0003393.idb
MD5 checksum: 2EA142047CCD22B7E536A6720B9136A2
Filename: README.patch.3394
Algorithm #1 (sum -r): 22031 10 README.patch.3394
Algorithm #2 (sum): 40712 10 README.patch.3394
MD5 checksum: 89B34B7222723BFCA4220C18C2CA40E0
Filename: patchSG0003394
Algorithm #1 (sum -r): 61693 3 patchSG0003394
Algorithm #2 (sum): 32311 3 patchSG0003394
MD5 checksum: 23748EB8970E3CD8295C54E9AA8961BA
Filename: patchSG0003394.eoe_man
Algorithm #1 (sum -r): 26033 69 patchSG0003394.eoe_man
Algorithm #2 (sum): 23233 69 patchSG0003394.eoe_man
MD5 checksum: F03552977EA408EACB85B0772F3D3EC2
Filename: patchSG0003394.eoe_sw
Algorithm #1 (sum -r): 55501 1153 patchSG0003394.eoe_sw
Algorithm #2 (sum): 4669 1153 patchSG0003394.eoe_sw
MD5 checksum: 5698C5642874FED5E95D9B5989BBF0D1
Filename: patchSG0003394.idb
Algorithm #1 (sum -r): 10153 8 patchSG0003394.idb
Algorithm #2 (sum): 36831 8 patchSG0003394.idb
MD5 checksum: B85E01E783292D03AEF7778F14B61E18
______________________________________________________________________________
Silicon Graphics Inc. Security Advisory
Title: IRIX at(1) vulnerability
Title: NetBSD Security Advisory 1998-004
Number: 19981001-01-PX
Date: October 5, 1998
_____________________________________________________________________________
Silicon Graphics provides this information freely to the SGI user
community
for its consideration, interpretation, implementation and use. Silicon
Graphics recommends that this information be acted upon as soon as
possible.
Silicon Graphics provides the information in this Security Advisory on
an "AS-IS" basis only, and disclaims all warranties with respect thereto,
express, implied or otherwise, including, without limitation, any warranty
of merchantability or fitness for a particular purpose. In no event shall
Silicon Graphics be liable for any loss of profits, loss of business, loss
of data or for any indirect, special, exemplary, incidental or
consequential
damages of any kind arising from your use of, failure to use or improper
use of any of the instructions or information in this Security Advisory.
______________________________________________________________________________
- ------------------------
- ---- Issue Specifics ---
- ------------------------
The at(1) program is used to execute commands at a later time.
Unfortunately, a vulnerability has been discovered in the at(1) program
that allows any file on the system to be read.
Silicon Graphics Inc. has investigated the issue and recommends the
following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED
that these measures be implemented on ALL vulnerable SGI systems. This
issue will be corrected in future releases of IRIX.
- ---------------
- ---- Impact ---
- ---------------
The at(1) program is installed by default on all IRIX systems.
Only IRIX 6.2, 6.4, 6.5 and 6.5.1 are vulnerable.
A local account is required in order to exploit the at(1) vulnerability
locally and remotely.
The vulnerability allows a local user to read any file on the system.
This vulnerability was reported by NetBSD Security Advisory 1998-004.
This vulnerability has been publically discussed in Usenet newsgroups
and mailing lists.
- ---------------------------
- ---- Temporary Solution ---
- ---------------------------
Although patches are available for this issue, it is realized that
there may be situations where installing the patches immediately may
not be possible.
The steps below can be used to minimize the vulnerability by restricting
access
to the vulnerable program.
1) Become the root user on the system.
% /bin/su -
Password:
#
2) Change the permissions on the vulnerable program.
# /bin/chmod 500 /usr/bin/at
************
*** NOTE ***
************
Removing group and other permissions from the vulnerable
program
will prevent non-root users from accessing the at(1) program.
3) Verify the new permissions on the program.
Note that the program size may be different depending on release.
# ls -al /usr/bin/at
-r-x------ 1 root sys 37896 Feb 20 16:53 at
4) Return to the previous user level.
# exit
%
- -----------------
- ---- Solution ---
- -----------------
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x no
IRIX 4.x no
IRIX 5.0.x no
IRIX 5.1.x no
IRIX 5.2 no
IRIX 5.3 no
IRIX 6.0.x no
IRIX 6.1 no
IRIX 6.2 yes 3182
IRIX 6.3 no
IRIX 6.4 yes 3184
IRIX 6.5 yes 3286
IRIX 6.5.1 yes 3286 Note 1
NOTES
1) If you have not received an IRIX 6.5.1m CD for IRIX 6.5, contact
your
SGI Support Provider or download the IRIX 6.5.1 Maintenance Release
Stream from http://support.sgi.com/
Patches are available via anonymous FTP and your service/support provider.
The primary SGI anonymous FTP site for security information and patches
is sgigate.sgi.com (204.94.209.1). Security information and patches can be
found in the ~ftp/security and ~ftp/patches directories, respectively.
For security and patch management reasons, ftp.sgi.com (mirror of sgigate)
lags
behind and does not do a real-time update of ~ftp/security and
~ftp/patches.
##### Patch File Checksums ####
The actual patch will be a tar file containing the following files:
Filename: README.patch.3182
Algorithm #1 (sum -r): 30850 16 README.patch.3182
Algorithm #2 (sum): 15553 16 README.patch.3182
MD5 checksum: 3B34D52857D8A561AA21BE5819112251
Filename: patchSG0003182
Algorithm #1 (sum -r): 29381 10 patchSG0003182
Algorithm #2 (sum): 25835 10 patchSG0003182
MD5 checksum: 014FB79336A21F776D4616A40D5ED66A
Filename: patchSG0003182.dev_sw
Algorithm #1 (sum -r): 29421 167 patchSG0003182.dev_sw
Algorithm #2 (sum): 60245 167 patchSG0003182.dev_sw
MD5 checksum: F12045EED76A42D9E534473DE145F300
Filename: patchSG0003182.eoe_man
Algorithm #1 (sum -r): 49928 732 patchSG0003182.eoe_man
Algorithm #2 (sum): 2181 732 patchSG0003182.eoe_man
MD5 checksum: 29BDDCEBB3F538BD1417656D68B1C205
Filename: patchSG0003182.eoe_sw
Algorithm #1 (sum -r): 50376 4005 patchSG0003182.eoe_sw
Algorithm #2 (sum): 8225 4005 patchSG0003182.eoe_sw
MD5 checksum: 172E2B997C5383F5D8935CC8A3BDF3E0
Filename: patchSG0003182.idb
Algorithm #1 (sum -r): 51467 32 patchSG0003182.idb
Algorithm #2 (sum): 38073 32 patchSG0003182.idb
MD5 checksum: F6189FD617CEDA6825B1B5DF86445CC6
Filename: README.patch.3184
Algorithm #1 (sum -r): 20261 14 README.patch.3184
Algorithm #2 (sum): 29975 14 README.patch.3184
MD5 checksum: 125A7A950DFC9097C6C09D1968E136E4
Filename: patchSG0003184
Algorithm #1 (sum -r): 37152 8 patchSG0003184
Algorithm #2 (sum): 57889 8 patchSG0003184
MD5 checksum: BA06CC50BE4F60977973DB78881CB2A7
Filename: patchSG0003184.eoe_man
Algorithm #1 (sum -r): 36008 213 patchSG0003184.eoe_man
Algorithm #2 (sum): 56912 213 patchSG0003184.eoe_man
MD5 checksum: 0B0A1B17A8072222CC98894E2B8B7367
Filename: patchSG0003184.eoe_sw
Algorithm #1 (sum -r): 32191 1341 patchSG0003184.eoe_sw
Algorithm #2 (sum): 60291 1341 patchSG0003184.eoe_sw
MD5 checksum: CF1146018BD54154AE99CECE36CCF526
Filename: patchSG0003184.idb
Algorithm #1 (sum -r): 05813 14 patchSG0003184.idb
Algorithm #2 (sum): 42422 14 patchSG0003184.idb
MD5 checksum: 9F1D2A06C70BA5487D730E7DFBEB58B6
Filename: README.patch.3286
Algorithm #1 (sum -r): 55256 8 README.patch.3286
Algorithm #2 (sum): 29002 8 README.patch.3286
MD5 checksum: 73A6F76CD6D1AF8331A7B831C3D97BDB
Filename: patchSG0003286
Algorithm #1 (sum -r): 61030 1 patchSG0003286
Algorithm #2 (sum): 34259 1 patchSG0003286
MD5 checksum: 3B58695C1E6B10C2D0C81FA6179B3BB0
Filename: patchSG0003286.eoe_sw
Algorithm #1 (sum -r): 10812 61 patchSG0003286.eoe_sw
Algorithm #2 (sum): 45331 61 patchSG0003286.eoe_sw
MD5 checksum: 03773FA9D7AF436D7CC42044721E242C
Filename: patchSG0003286.idb
Algorithm #1 (sum -r): 08036 1 patchSG0003286.idb
Algorithm #2 (sum): 33655 1 patchSG0003286.idb
MD5 checksum: 6E038D350913318648C823ED84B523E6
______________________________________________________________________________
Silicon Graphics Inc. Security Advisory
Title: xterm(1) exploitable buffer overflow
Title: CERT VB-98.04
Number: 19981002-01-PX
Date: October 15, 1998
______________________________________________________________________________
Silicon Graphics provides this information freely to the SGI user
community
for its consideration, interpretation, implementation and use. Silicon
Graphics recommends that this information be acted upon as soon as
possible.
Silicon Graphics provides the information in this Security Advisory on
an "AS-IS" basis only, and disclaims all warranties with respect thereto,
express, implied or otherwise, including, without limitation, any warranty
of merchantability or fitness for a particular purpose. In no event shall
Silicon Graphics be liable for any loss of profits, loss of business, loss
of data or for any indirect, special, exemplary, incidental or
consequential
damages of any kind arising from your use of, failure to use or improper
use of any of the instructions or information in this Security Advisory.
______________________________________________________________________________
- -----------------------
- --- Issue Specifics ---
- -----------------------
The Open Group (http://www.opengroup.org/) has reported via CERT that
an exploitable buffer overflow has been discovered in xterm(1) which can
lead
to a root compromise.
Silicon Graphics Inc. has investigated the issue and recommends the
following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED
that these measures be implemented on ALL vulnerable SGI systems.
This issue will be corrected in future releases of IRIX.
- --------------
- --- Impact ---
- --------------
The xterm(1) program is installed by default on IRIX.
A local user account on the vulnerable system is required in order to
exploit
xterm(1) program.
The exploitable buffer overflow vulnerability can lead to a root
compromise.
This xterm buffer overflow vulnerability was reported by CERT VB-98.04:
http://www.cert.org/ftp/cert_bulletins/VB-98.04.xterm.Xaw
This xterm vulnerability has been publicly discussed in Usenet newsgroups
and mailing lists.
- --------------------------
- --- Temporary Solution ---
- --------------------------
Although patches are available for this issue, it is realized that
there may be situations where installing the patches immediately may
not be possible.
The steps below can be used to remove the vulnerability by removing
the setuid permissions of the xterm(1) program.
1) Become the root user on the system.
% /bin/su -
Password:
#
2) Remove the setuid-root bit from the xterm binary.
# chmod 0755 /usr/bin/X11/xterm
3) Verify the new permissions on the program.
Note that the program size may be different depending on release.
# ls -al /usr/bin/X11/xterm
-rwxr-xr-x 1 root sys 204728 May 22 16:36
/usr/bin/X11/xterm
4) Return to previous level.
# exit
%
- ----------------
- --- Solution ---
- ----------------
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x yes Note 1 & 2
IRIX 4.x yes Note 1 & 2
IRIX 5.0.x yes Note 1 & 2
IRIX 5.1.x yes Note 1 & 2
IRIX 5.2 yes Note 1 & 2
IRIX 5.3 yes 3142
IRIX 6.0.x yes Note 1 & 2
IRIX 6.1 yes Note 1 & 2
IRIX 6.2 yes 3143
IRIX 6.3 yes 3144
IRIX 6.4 yes 3351
IRIX 6.5 yes 6.5.1 Note 3
IRIX 6.5.1 no
NOTES
1) Upgrade to currently supported IRIX operating system.
2) See "Temporary Solution" section.
3) If you have not received an IRIX 6.5.1m CD for IRIX 6.5, contact
your
SGI Support Provider or download the IRIX 6.5.1 Maintenance
Release
Stream from http://support.sgi.com/
Patches are available via anonymous FTP and your service/support provider.
The primary SGI anonymous FTP site for security information and patches
is sgigate.sgi.com (204.94.209.1). Security information and patches can be
found in the ~ftp/security and ~ftp/patches directories, respectively.
For security and patch management reasons, ftp.sgi.com (mirror of sgigate)
lags
behind and does not do a real-time update of ~ftp/security and
~ftp/patches
##### Patch File Checksums ####
The actual patch will be a tar file containing the following files:
Filename: README.patch.3142
Algorithm #1 (sum -r): 49324 8 README.patch.3142
Algorithm #2 (sum): 61084 8 README.patch.3142
MD5 checksum: 2B1A5715ACEB0CDC4C18678A8002B6F1
Filename: patchSG0003142
Algorithm #1 (sum -r): 29610 1 patchSG0003142
Algorithm #2 (sum): 34053 1 patchSG0003142
MD5 checksum: 6BD0AA3B67430C2068FE9144D86C74D5
Filename: patchSG0003142.idb
Algorithm #1 (sum -r): 32785 1 patchSG0003142.idb
Algorithm #2 (sum): 35269 1 patchSG0003142.idb
MD5 checksum: BF1E7D0BB1E46B1BDFF9979189F5360B
Filename: patchSG0003142.x_eoe_sw
Algorithm #1 (sum -r): 33648 213 patchSG0003142.x_eoe_sw
Algorithm #2 (sum): 34214 213 patchSG0003142.x_eoe_sw
MD5 checksum: B02985C04953B11AE03E11DE362A36E3
Filename: README.patch.3143
Algorithm #1 (sum -r): 25019 8 README.patch.3143
Algorithm #2 (sum): 21033 8 README.patch.3143
MD5 checksum: B564135EFDC38135580A8F6B7F42CFD0
Filename: patchSG0003143
Algorithm #1 (sum -r): 32423 1 patchSG0003143
Algorithm #2 (sum): 27066 1 patchSG0003143
MD5 checksum: 415ACF1ACFD6EA16B264492BAA55E207
Filename: patchSG0003143.idb
Algorithm #1 (sum -r): 23124 1 patchSG0003143.idb
Algorithm #2 (sum): 35279 1 patchSG0003143.idb
MD5 checksum: 78CE6DFAD29790B3082AEB257A48A71A
Filename: patchSG0003143.x_eoe_sw
Algorithm #1 (sum -r): 40988 213 patchSG0003143.x_eoe_sw
Algorithm #2 (sum): 61141 213 patchSG0003143.x_eoe_sw
MD5 checksum: E1CC35856C0FB1D65D8399881C5E64F4
Filename: README.patch.3144
Algorithm #1 (sum -r): 14474 7 README.patch.3144
Algorithm #2 (sum): 20083 7 README.patch.3144
MD5 checksum: 34700B91B362B53ADB4741D1436DA239
Filename: patchSG0003144
Algorithm #1 (sum -r): 28337 1 patchSG0003144
Algorithm #2 (sum): 26275 1 patchSG0003144
MD5 checksum: BD9C4D0B2AEBE8DC674FCDF777124B38
Filename: patchSG0003144.idb
Algorithm #1 (sum -r): 04654 1 patchSG0003144.idb
Algorithm #2 (sum): 35038 1 patchSG0003144.idb
MD5 checksum: F53D7B84B841E089C824603FBDFCCA32
Filename: patchSG0003144.x_eoe_sw
Algorithm #1 (sum -r): 62709 211 patchSG0003144.x_eoe_sw
Algorithm #2 (sum): 8545 211 patchSG0003144.x_eoe_sw
MD5 checksum: F8275F4C685744FC32E0B46F62DE4CD4
Filename: README.patch.3351
Algorithm #1 (sum -r): 62541 7 README.patch.3351
Algorithm #2 (sum): 18263 7 README.patch.3351
MD5 checksum: 9B4F30943168D03E87F9A3CCE2D1E420
Filename: patchSG0003351
Algorithm #1 (sum -r): 51459 1 patchSG0003351
Algorithm #2 (sum): 32809 1 patchSG0003351
MD5 checksum: 128031560CEE2BA9D8988EAE99292E6C
Filename: patchSG0003351.idb
Algorithm #1 (sum -r): 36105 1 patchSG0003351.idb
Algorithm #2 (sum): 35002 1 patchSG0003351.idb
MD5 checksum: 24564AD152E4B65388DAA7BD9A5D205A
Filename: patchSG0003351.x_eoe_sw
Algorithm #1 (sum -r): 42288 212 patchSG0003351.x_eoe_sw
Algorithm #2 (sum): 26656 212 patchSG0003351.x_eoe_sw
MD5 checksum: 7A9742D4417ADBA74E64EE31DD7F2CE7
______________________________________________________________________________
Silicon Graphics Inc. Security Advisory
Title: Xaw library exploitable buffer overflow
Title: CERT VB-98.04
Number: 19981003-01-PX
Date: October 15, 1998
______________________________________________________________________________
Silicon Graphics provides this information freely to the SGI user
community
for its consideration, interpretation, implementation and use. Silicon
Graphics recommends that this information be acted upon as soon as
possible.
Silicon Graphics provides the information in this Security Advisory on
an "AS-IS" basis only, and disclaims all warranties with respect thereto,
express, implied or otherwise, including, without limitation, any warranty
of merchantability or fitness for a particular purpose. In no event shall
Silicon Graphics be liable for any loss of profits, loss of business, loss
of data or for any indirect, special, exemplary, incidental or
consequential
damages of any kind arising from your use of, failure to use or improper
use of any of the instructions or information in this Security Advisory.
______________________________________________________________________________
- -----------------------
- --- Issue Specifics ---
- -----------------------
The Open Group (http://www.opengroup.org/) has reported via CERT that
an exploitable buffer overflow has been discovered in Xaw library which
can
lead to a root compromise.
Silicon Graphics Inc. has investigated the issue and recommends the
following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED
that these measures be implemented on ALL vulnerable SGI systems.
This issue will be corrected in future releases of IRIX.
- --------------
- --- Impact ---
- --------------
The Xaw library is installed by default on IRIX.
The Xaw Text widget must be used in a setuid root program in order to be
vulnerable.
A local user account on the vulnerable system is required in order to
exploit
the Xaw library.
The exploitable buffer overflow vulnerability can lead to a root
compromise.
This Xaw library buffer overflow vulnerability was reported by CERT
VB-98.04:
http://www.cert.org/ftp/cert_bulletins/VB-98.04.xterm.Xaw
This Xaw vulnerability has been publicly discussed in Usenet newsgroups
and mailing lists.
- --------------------------
- --- Temporary Solution ---
- --------------------------
Although patches are available for this issue, it is realized that
there may be situations where installing the patches immediately may
not be possible.
Only setuid root programs that use the Xaw Text widget are vulnerable
to this exploit. There is no easy detection method for determining
if a program uses the Xaw Text widget.
If you are aware of a setuid root program that uses Xaw Text widget,
the steps below can be used to remove the vulnerability by removing
the setuid permissions of that program.
1) Become the root user on the system.
% /bin/su -
Password:
#
2) Remove the setuid-root bit from the binary.
# chmod 0755
3) Return to previous level.
# exit
%
- ----------------
- --- Solution ---
- ----------------
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x no
IRIX 4.x no
IRIX 5.0.x yes Note 1 & 2
IRIX 5.1.x yes Note 1 & 2
IRIX 5.2 yes Note 1 & 2
IRIX 5.3 yes 3162
IRIX 6.0.x yes Note 1 & 2
IRIX 6.1 yes Note 1 & 2
IRIX 6.2 yes 3163
IRIX 6.3 yes 3164
IRIX 6.4 yes 3165
IRIX 6.5 yes 6.5.1 Note 3
IRIX 6.5.1 no
NOTES
1) Upgrade to currently supported IRIX operating system.
2) See "Temporary Solution" section.
3) If you have not received an IRIX 6.5.1m CD for IRIX 6.5, contact
your
SGI Support Provider or download the IRIX 6.5.1 Maintenance
Release
Stream from http://support.sgi.com/
Patches are available via anonymous FTP and your service/support provider.
The primary SGI anonymous FTP site for security information and patches
is sgigate.sgi.com (204.94.209.1). Security information and patches can be
found in the ~ftp/security and ~ftp/patches directories, respectively.
For security and patch management reasons, ftp.sgi.com (mirror of sgigate)
lags
behind and does not do a real-time update of ~ftp/security and
~ftp/patches
##### Patch File Checksums ####
The actual patch will be a tar file containing the following files:
Filename: README.patch.3162
Algorithm #1 (sum -r): 62760 15 README.patch.3162
Algorithm #2 (sum): 52641 15 README.patch.3162
MD5 checksum: B8F950CFFA015AEE80BDDF7D71941997
Filename: patchSG0003162
Algorithm #1 (sum -r): 29527 3 patchSG0003162
Algorithm #2 (sum): 16855 3 patchSG0003162
MD5 checksum: 483B3714A2DBCF085FB4430E60AFADB5
Filename: patchSG0003162.idb
Algorithm #1 (sum -r): 63388 4 patchSG0003162.idb
Algorithm #2 (sum): 4333 4 patchSG0003162.idb
MD5 checksum: 4E6E083D81345A44ECF9B81DF37936D0
Filename: patchSG0003162.x_dev_sw
Algorithm #1 (sum -r): 10817 1841 patchSG0003162.x_dev_sw
Algorithm #2 (sum): 53139 1841 patchSG0003162.x_dev_sw
MD5 checksum: 9496B25ECC3E96A8D61E2F61AB7CC444
Filename: patchSG0003162.x_eoe_sw
Algorithm #1 (sum -r): 39327 3232 patchSG0003162.x_eoe_sw
Algorithm #2 (sum): 13525 3232 patchSG0003162.x_eoe_sw
MD5 checksum: D42A84EF3F076A58D33F19F52A819673
Filename: README.patch.3163
Algorithm #1 (sum -r): 23654 18 README.patch.3163
Algorithm #2 (sum): 25734 18 README.patch.3163
MD5 checksum: 756076D4B042CD3B821051B3146C2451
Filename: patchSG0003163
Algorithm #1 (sum -r): 32763 18 patchSG0003163
Algorithm #2 (sum): 46144 18 patchSG0003163
MD5 checksum: 9D8CF5AF49F89003D333E84E6D3300C6
Filename: patchSG0003163.idb
Algorithm #1 (sum -r): 16114 13 patchSG0003163.idb
Algorithm #2 (sum): 38740 13 patchSG0003163.idb
MD5 checksum: 757BF2A5882658173ECFF63F892C46A8
Filename: patchSG0003163.x_dev_sw
Algorithm #1 (sum -r): 26703 1871 patchSG0003163.x_dev_sw
Algorithm #2 (sum): 4990 1871 patchSG0003163.x_dev_sw
MD5 checksum: 4E89925EA5679B21BF8FC765CB79A8BB
Filename: patchSG0003163.x_dev_sw32
Algorithm #1 (sum -r): 28764 2195 patchSG0003163.x_dev_sw32
Algorithm #2 (sum): 46025 2195 patchSG0003163.x_dev_sw32
MD5 checksum: DF71C67366E29B0F9CEF5B10A0EE3BD0
Filename: patchSG0003163.x_dev_sw64
Algorithm #1 (sum -r): 10893 2353 patchSG0003163.x_dev_sw64
Algorithm #2 (sum): 47599 2353 patchSG0003163.x_dev_sw64
MD5 checksum: A307C6DB70BD37A31D1F9D4D858C4004
Filename: patchSG0003163.x_eoe_sw
Algorithm #1 (sum -r): 26523 4258 patchSG0003163.x_eoe_sw
Algorithm #2 (sum): 2943 4258 patchSG0003163.x_eoe_sw
MD5 checksum: 0CD66C2493A3667D1C68D2E2EE3DB187
Filename: patchSG0003163.x_eoe_sw32
Algorithm #1 (sum -r): 44792 3969 patchSG0003163.x_eoe_sw32
Algorithm #2 (sum): 30141 3969 patchSG0003163.x_eoe_sw32
MD5 checksum: 91B0F609DCF4B10814C7623669A1193D
Filename: patchSG0003163.x_eoe_sw64
Algorithm #1 (sum -r): 36394 4235 patchSG0003163.x_eoe_sw64
Algorithm #2 (sum): 15018 4235 patchSG0003163.x_eoe_sw64
MD5 checksum: A751597CA40C154D855F1BA4CE111AE6
Filename: README.patch.3164
Algorithm #1 (sum -r): 04525 12 README.patch.3164
Algorithm #2 (sum): 63555 12 README.patch.3164
MD5 checksum: F949A9F818F578F9209DD453A713EDE9
Filename: patchSG0003164
Algorithm #1 (sum -r): 45150 7 patchSG0003164
Algorithm #2 (sum): 23540 7 patchSG0003164
MD5 checksum: 5EB26E7B577ADD63AD2A7E31E8E818FB
Filename: patchSG0003164.idb
Algorithm #1 (sum -r): 62231 11 patchSG0003164.idb
Algorithm #2 (sum): 39482 11 patchSG0003164.idb
MD5 checksum: 608679BE467AD0FF7B0044F08CFBA5F7
Filename: patchSG0003164.x_dev_sw
Algorithm #1 (sum -r): 00282 1861 patchSG0003164.x_dev_sw
Algorithm #2 (sum): 51321 1861 patchSG0003164.x_dev_sw
MD5 checksum: AA403DA6F7934786C8B1138B6419EDF9
Filename: patchSG0003164.x_dev_sw32
Algorithm #1 (sum -r): 40105 2188 patchSG0003164.x_dev_sw32
Algorithm #2 (sum): 43711 2188 patchSG0003164.x_dev_sw32
MD5 checksum: 20D889F2721D867301F1F49C7F0F9FDE
Filename: patchSG0003164.x_dev_sw64
Algorithm #1 (sum -r): 05154 2341 patchSG0003164.x_dev_sw64
Algorithm #2 (sum): 35806 2341 patchSG0003164.x_dev_sw64
MD5 checksum: 975B64D7781501F1428382C38EF8E33E
Filename: patchSG0003164.x_eoe_sw
Algorithm #1 (sum -r): 40472 3285 patchSG0003164.x_eoe_sw
Algorithm #2 (sum): 19365 3285 patchSG0003164.x_eoe_sw
MD5 checksum: 7130465ECBEA6961DE898BC6B03BC6EC
Filename: patchSG0003164.x_eoe_sw32
Algorithm #1 (sum -r): 24036 3552 patchSG0003164.x_eoe_sw32
Algorithm #2 (sum): 62299 3552 patchSG0003164.x_eoe_sw32
MD5 checksum: CF227E33123A6B4C83B957BE7481E594
Filename: patchSG0003164.x_eoe_sw64
Algorithm #1 (sum -r): 01544 3763 patchSG0003164.x_eoe_sw64
Algorithm #2 (sum): 32019 3763 patchSG0003164.x_eoe_sw64
MD5 checksum: 33DAD3890A6EE445BABAA9299C6DE485
Filename: README.patch.3165
Algorithm #1 (sum -r): 05925 12 README.patch.3165
Algorithm #2 (sum): 9430 12 README.patch.3165
MD5 checksum: F8F8C76CF0D6401153F34E606E000703
Filename: patchSG0003165
Algorithm #1 (sum -r): 40739 10 patchSG0003165
Algorithm #2 (sum): 64635 10 patchSG0003165
MD5 checksum: E9F01F8B784EFB2360F96E1C111BC868
Filename: patchSG0003165.eoe_sw
Algorithm #1 (sum -r): 44998 7 patchSG0003165.eoe_sw
Algorithm #2 (sum): 42468 7 patchSG0003165.eoe_sw
MD5 checksum: 948C51F29D9B18C71211551F2A9E2786
Filename: patchSG0003165.idb
Algorithm #1 (sum -r): 08151 12 patchSG0003165.idb
Algorithm #2 (sum): 9229 12 patchSG0003165.idb
MD5 checksum: C377B369F49EC7BE07B43C4B1A3AE7C8
Filename: patchSG0003165.x_dev_sw
Algorithm #1 (sum -r): 20931 5115 patchSG0003165.x_dev_sw
Algorithm #2 (sum): 57869 5115 patchSG0003165.x_dev_sw
MD5 checksum: 201472A518AD6573742D18E1B94EFD7B
Filename: patchSG0003165.x_dev_sw64
Algorithm #1 (sum -r): 15326 2378 patchSG0003165.x_dev_sw64
Algorithm #2 (sum): 5558 2378 patchSG0003165.x_dev_sw64
MD5 checksum: 885049D822B3B277576E2C4AB54B91C4
Filename: patchSG0003165.x_eoe_sw
Algorithm #1 (sum -r): 63988 7594 patchSG0003165.x_eoe_sw
Algorithm #2 (sum): 15222 7594 patchSG0003165.x_eoe_sw
MD5 checksum: 129346F08874CF9A56B6497BF4AA3B32
Filename: patchSG0003165.x_eoe_sw64
Algorithm #1 (sum -r): 25380 4118 patchSG0003165.x_eoe_sw64
Algorithm #2 (sum): 24205 4118 patchSG0003165.x_eoe_sw64
MD5 checksum: 34980EFCE4E39EBFEC55FA279E7F1957
______________________________________________________________________________
Silicon Graphics Inc. Security Advisory
Title: IRIX routed(1M) Vulnerability
Number: 19981004-01-PX
Date: October 21, 1998
______________________________________________________________________________
Silicon Graphics provides this information freely to the SGI user
community
for its consideration, interpretation, implementation and use. Silicon
Graphics recommends that this information be acted upon as soon as
possible.
Silicon Graphics provides the information in this Security Advisory on
an "AS-IS" basis only, and disclaims all warranties with respect thereto,
express, implied or otherwise, including, without limitation, any warranty
of merchantability or fitness for a particular purpose. In no event shall
Silicon Graphics be liable for any loss of profits, loss of business, loss
of data or for any indirect, special, exemplary, incidental or
consequential
damages of any kind arising from your use of, failure to use or improper
use of any of the instructions or information in this Security Advisory.
______________________________________________________________________________
- ------------------------
- ---- Issue Specifics ---
- ------------------------
The routed(1M) daemon is used to manage network routing tables.
A vulnerability has been discovered in routed(1M) which allows a malicious
user to append debug and tracing information to arbitrary files on the
system.
Silicon Graphics Inc. has investigated the issue and recommends the
following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED
that these measures be implemented on ALL vulnerable SGI systems. This
issue has been corrected in future releases of IRIX.
- ---------------
- ---- Impact ---
- ---------------
The routed(1M) daemon is installed by default on IRIX.
A local account is not needed in order to exploit this vulnerability.
The vulnerability can be exploited remotely by using carefully crafted
network
packets.
The vulnerability allows a malicious user to append routed(1M) debug
tracing
information to arbitrary files on the system.
This vulnerability has been publicly discussed in Usenet newsgroups
and mailing lists.
- ---------------------------
- ---- Temporary Solution ---
- ---------------------------
Although patches are available for this issue, it is realized that
there may be situations where installing the patches immediately may
not be possible.
There are no workarounds for this routed(1M) vulnerability. The routed(1M)
daemon must be disabled or patches installed.
The steps below can be used to disable the routed(1M) daemon to prevent
exploitation of this vulnerability until patches can be installed.
=================
**** WARNING ****
=================
Disabling routed(1M) daemon will prevent dynamic updates of the
network routing tables. Static routes must be configured, see the
route(1M) man page for more information.
1) Become the root user on the system.
% /bin/su -
Password:
#
2) Verify routed(1M) daemon is enabled.
# chkconfig
Flag State
==== =====
routed on
3) Disable routed(1M) daemon.
# chkconfig routed off
4) Verify routed(1M) daemon has been disabled.
# chkconfig
Flag State
==== =====
routed off
5) Stop and restart all system networking daemons.
# /etc/init.d/network stop;/etc/init.d/network start
6) Return to previous user level.
# exit
%
- -----------------
- ---- Solution ---
- -----------------
OS Version Vulnerable? Patch # Other Actions
---------- ----------- --------- -------------
IRIX 3.x yes not avail Note 1
IRIX 4.x yes not avail Note 1
IRIX 5.0.x yes not avail Note 1
IRIX 5.1.x yes not avail Note 1
IRIX 5.2 yes not avail Note 1
IRIX 5.3 yes 2770
IRIX 6.0.x yes not avail Note 1
IRIX 6.1 yes not avail Note 1
IRIX 6.2 yes 1638 Note 2
IRIX 6.3 yes 2413 Note 2
IRIX 6.4 yes 2413 Note 2
IRIX 6.5 no
IRIX 6.5 no
IRIX 6.5.1 no
NOTES
1) Upgrade to currently supported IRIX operating system.
2) These are the base patches where the security issue was first
fixed.
There may be newer rollup patches that contain the security fix
and
are currently available from http://support.sgi.com/ or you SGI
support provider.
Patches are available via anonymous FTP and your service/support provider.
The primary SGI anonymous FTP site for security information and patches
is sgigate.sgi.com (204.94.209.1). Security information and patches can be
found in the ~ftp/security and ~ftp/patches directories, respectively.
For security and patch management reasons, ftp.sgi.com (mirror of sgigate)
lags
behind and does not do a real-time update of ~ftp/security and
~ftp/patches
directories.
##### Patch File Checksums ####
The actual patch will be a tar file containing the following files:
Filename: README.patch.1638
Algorithm #1 (sum -r): 25810 10 README.patch.1638
Algorithm #2 (sum): 45994 10 README.patch.1638
MD5 checksum: 5CFFC234C3FD6A55AAF1724A23856464
Filename: patchSG0001638
Algorithm #1 (sum -r): 54461 3 patchSG0001638
Algorithm #2 (sum): 10118 3 patchSG0001638
MD5 checksum: 1A4F38FCB51AEA8444236CD0B78EE8BB
Filename: patchSG0001638.eoe_hdr
Algorithm #1 (sum -r): 10008 8 patchSG0001638.eoe_hdr
Algorithm #2 (sum): 23343 8 patchSG0001638.eoe_hdr
MD5 checksum: 960162CA99A3F2B00C1F2728F1FD82A8
Filename: patchSG0001638.eoe_man
Algorithm #1 (sum -r): 25386 52 patchSG0001638.eoe_man
Algorithm #2 (sum): 5077 52 patchSG0001638.eoe_man
MD5 checksum: ECA70503EEB12265CB56CC1CBA0AAB74
Filename: patchSG0001638.eoe_sw
Algorithm #1 (sum -r): 04406 241 patchSG0001638.eoe_sw
Algorithm #2 (sum): 3325 241 patchSG0001638.eoe_sw
MD5 checksum: 123CA06F9A5B91D1D56458FF455538C4
Filename: patchSG0001638.idb
Algorithm #1 (sum -r): 18065 4 patchSG0001638.idb
Algorithm #2 (sum): 22105 4 patchSG0001638.idb
MD5 checksum: E8333BC62A89A6C4A2326F9C9089565A
Algorithm #1 (sum -r): 59269 9 README.patch.2413
Algorithm #2 (sum): 61782 9 README.patch.2413
MD5 checksum: 81A1CC8326C35FC9D8A36E6E4C2ECE7E
Filename: patchSG0002413
Algorithm #1 (sum -r): 35882 3 patchSG0002413
Algorithm #2 (sum): 14583 3 patchSG0002413
MD5 checksum: ADD49D668CDF3644CB80AEE1B5EC530F
Filename: patchSG0002413.eoe_hdr
Algorithm #1 (sum -r): 43690 8 patchSG0002413.eoe_hdr
Algorithm #2 (sum): 23342 8 patchSG0002413.eoe_hdr
MD5 checksum: B88588DEC32FB32AEB2F8420BC7E172E
Filename: patchSG0002413.eoe_man
Algorithm #1 (sum -r): 34349 39 patchSG0002413.eoe_man
Algorithm #2 (sum): 52356 39 patchSG0002413.eoe_man
MD5 checksum: 4CA92E9BDF2FD32354CE3F640B69BA75
Filename: patchSG0002413.eoe_sw
Algorithm #1 (sum -r): 44812 216 patchSG0002413.eoe_sw
Algorithm #2 (sum): 33076 216 patchSG0002413.eoe_sw
MD5 checksum: 6CC82F0698061F49686FADCB7C27D97F
Filename: patchSG0002413.idb
Algorithm #1 (sum -r): 19469 3 patchSG0002413.idb
Algorithm #2 (sum): 44128 3 patchSG0002413.idb
MD5 checksum: F8B97D25D2C386CB3DF9C67940B39D7E
Filename: README.patch.2770
Algorithm #1 (sum -r): 50674 54 README.patch.2770
Algorithm #2 (sum): 55165 54 README.patch.2770
MD5 checksum: AF52BE0D11D1ABA533F750808B7C6976
Filename: patchSG0002770
Algorithm #1 (sum -r): 45021 29 patchSG0002770
Algorithm #2 (sum): 38712 29 patchSG0002770
MD5 checksum: 8E458BF95BB806D5082D36F5C323C3AD
Filename: patchSG0002770.dev_hdr
Algorithm #1 (sum -r): 55046 18 patchSG0002770.dev_hdr
Algorithm #2 (sum): 21666 18 patchSG0002770.dev_hdr
MD5 checksum: 12D756C9AAADDA464F628FB08B8012C2
Filename: patchSG0002770.eoe1_man
Algorithm #1 (sum -r): 58486 19 patchSG0002770.eoe1_man
Algorithm #2 (sum): 19828 19 patchSG0002770.eoe1_man
MD5 checksum: 971A700918352743FDFAD9DC7AAC7F08
Filename: patchSG0002770.eoe1_sw
Algorithm #1 (sum -r): 19070 3874 patchSG0002770.eoe1_sw
Algorithm #2 (sum): 2196 3874 patchSG0002770.eoe1_sw
MD5 checksum: BAC859508D8025C05CF7EF8732E8C340
Filename: patchSG0002770.eoe2_man
Algorithm #1 (sum -r): 20509 16 patchSG0002770.eoe2_man
Algorithm #2 (sum): 64242 16 patchSG0002770.eoe2_man
MD5 checksum: B0491FEFB0CE1C0BC03F7A1345BDE250
Filename: patchSG0002770.eoe2_sw
Algorithm #1 (sum -r): 35898 1681 patchSG0002770.eoe2_sw
Algorithm #2 (sum): 50094 1681 patchSG0002770.eoe2_sw
MD5 checksum: 009D8A477E83CE4646F004FB3F48953E
Filename: patchSG0002770.idb
Algorithm #1 (sum -r): 46255 53 patchSG0002770.idb
Algorithm #2 (sum): 6566 53 patchSG0002770.idb
MD5 checksum: 8A53DCAFC6BF0E8A4682D74733834C18
Filename: patchSG0002770.nfs_man
Algorithm #1 (sum -r): 22345 17 patchSG0002770.nfs_man
Algorithm #2 (sum): 21111 17 patchSG0002770.nfs_man
MD5 checksum: 8782FA52CAB650472352DABC1C38B823
Filename: patchSG0002770.nfs_sw
Algorithm #1 (sum -r): 22859 162 patchSG0002770.nfs_sw
Algorithm #2 (sum): 7001 162 patchSG0002770.nfs_sw
MD5 checksum: BA848F9526D84CF205C7DD080CF7D46E
______________________________________________________________________________
Silicon Graphics Inc. Security Advisory
Title: Vulnerability in ToolTalk RPC Service
Title: NAI-29, CERT CA-98.11
Number: 19981101-01-A
Date: November 19, 1998
______________________________________________________________________________
Silicon Graphics provides this information freely to the SGI user
community
for its consideration, interpretation, implementation and use. Silicon
Graphics recommends that this information be acted upon as soon as
possible.
Silicon Graphics provides the information in this Security Advisory on
an "AS-IS" basis only, and disclaims all warranties with respect thereto,
express, implied or otherwise, including, without limitation, any warranty
of merchantability or fitness for a particular purpose. In no event shall
SGI be liable for any loss of profits, loss of business, loss of data or
for any indirect, special, exemplary, incidental or consequential damages
of any kind arising from your use of, failure to use or improper use of
any of the instructions or information in this Security Advisory.
______________________________________________________________________________
- -----------------------
- --- Issue Statement ---
- -----------------------
Silicon Graphics Inc. acknowledges the publicly reported security
advisories NAI-29 and CERT CA-98.11* which discuss a vulnerability in
the ToolTalk rpc.ttdbserverd daemon.
* http://www.cert.org/advisories/CA-98.11.tooltalk.html
For the protection of all our customers, SGI does not disclose, discuss
or confirm vulnerabilities until a full investigation has occurred and
any necessary patch(es) or release streams are available for all
vulnerable
and currently supported Unicos and IRIX operating systems.
Until Silicon Graphics has more definitive information to provide,
customers
are encouraged to assume all security vulnerabilities as exploitable and
take
appropriate steps according to local site security policies and
requirements.
Steps to disable the rpc.ttdbserverd daemon are found in the Temporary
Solution section below. However, other third-party programs utilizing this
service may be impacted in varying degrees if the rpc.ttdbserverd daemon
is disabled.
Silicon Graphics Inc. has been and will continue to investigate this issue
but no further information is available for public release at this time.
As further information becomes available, additional advisories will be
issued via the normal SGI security information distribution methods
including the wiretap mailing list.
- ----------------------------
- ----- Temporary Solution ---
- ----------------------------
The steps below can be used to disable the ttdbserverd(8) daemon.
=================
**** WARNING ****
=================
Disabling ttdbserverd(8) daemon will impact and/or disable
applications that use the RPC-based ToolTalk database server.
One such third-party application is the TriTeal CDE product.
1) Become the root user on the system.
% /bin/su -
Password:
#
2) Verify ttdbserverd(8) daemon is enabled.
# rpcinfo -p | grep 100083
100083 1 tcp 1028 ttdbserverd
3) Edit the file /etc/inetd.conf (for IRIX 5.3 and lower,
edit /usr/etc/inetd.conf). Place a "#" as the first
character of the line to comment out and deactivate
the ttdbserverd daemon.
# vi /etc/inetd.conf
{Find the following line}
ttdbserverd/1 stream rpc/tcp wait root \r
?/usr/etc/rpc.ttdbserverd rpc.ttdbserverd
{Place a "#" as the first character of the ttdbserverd line}
#ttdbserverd/1 stream rpc/tcp wait root \r
?/usr/etc/rpc.ttdbserverd rpc.ttdbserverd
4) Force inetd to re-read the configuration file.
# /etc/killall -HUP inetd
5) Kill any existing ttdbserverd(8) process.
# /etc/killall ttdbserverd
6) Return to previous level.
# exit
%
------------------------------------------------------------------------------------
Hello,
The SGI osview GUI tools are victim to another familiar Un*x security bug.
Problem:
^^^^^^^^
When invoked by a privileged user, the osview tools (available under the
/usr/Cadmin/bin/chost GUI or System -> System Manager from the toolchest
app.) will create predictable files in /var/tmp, with mode 0777.
These tools create files in /var/tmp using the syntax
"IP-address.osview.system".
for instance,
-rwxrwxrwx 1 root sys 12 Nov 20 13:13 192.24.42.12.os.cpu
-rwxrwxrwx 1 root sys 34 Nov 20 13:13
192.24.42.12.osview.disk
-rwxrwxrwx 1 root sys 107 Nov 20 13:13
192.24.42.12.osview.gen
-rwxrwxrwx 1 root sys 31 Nov 20 13:13
192.24.42.12.osview.net
Scope:
^^^^^^
A clever user can dupe a sysadmin into overwriting any supposedly
protected file on the system, such as, say, /etc/passwd, or /unix...
along with it, the associated mayhem.
symlink an important file to one of those, wait for a privileged user to
run the appropriate program, and...
aruba 60# more /etc/passwd
disk(/)
disk(/disk2)
disk(/disk6)
aruba 61#
Solution:
^^^^^^^^^
These files are created to instruct gr_osview what quantities to monitor
on a running system. Apart from waiting for SGI to change the way
gr_osview opens/creates files (O_CREAT|O_EXCL|O_RDONLY) on the open, and
a less generous creation mask (0444 would do just as well), the only
solution is to disable gr_osview entirely. I'm not sure if any other SGI
admins use it, but I find it handy once in a while. This bug was tested on
an Indy running 6.2; I haven't tried it on our other systems (Challenges,
O2, Origins) running different versions of IRIX, but I'd be willing to bet
they're also vulnerable.
Klaus
--------------------------------------------------------------------------
______________________________________________________________________________
Silicon Graphics Inc. Security Advisory
Title: Vulnerability in IRIX autofsd
Title: RSI.0010.10-02-98.IRIX.AUTOFSD
Number: 19981005-01-PX
Date: November 23 ,1998
______________________________________________________________________________
Silicon Graphics provides this information freely to the SGI user
community
for its consideration, interpretation, implementation and use. Silicon
Graphics recommends that this information be acted upon as soon as
possible.
Silicon Graphics provides the information in this Security Advisory on
an "AS-IS" basis only, and disclaims all warranties with respect thereto,
express, implied or otherwise, including, without limitation, any warranty
of merchantability or fitness for a particular purpose. In no event shall
Silicon Graphics be liable for any loss of profits, loss of business, loss
of data or for any indirect, special, exemplary, incidental or
consequential
damages of any kind arising from your use of, failure to use or improper
use of any of the instructions or information in this Security Advisory.
______________________________________________________________________________
- -----------------------
- --- Issue Specifics ---
- -----------------------
The autofsd(1M) daemon is used to automatically mount remote file systems.
The Repent Security, Inc (RSI) group has publicly reported a vulnerability
in
the IRIX autofsd daemon which can lead to a root compromise.
Silicon Graphics Inc. has investigated the issue and recommends the
following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED
that these measures be implemented on ALL vulnerable SGI systems.
This issue has been corrected in future releases of IRIX.
- --------------
- --- Impact ---
- --------------
The autofsd(1M) daemon is installed by default on IRIX.
A local user account on the vulnerable system is not required in order to
exploit the autofsd(1M) daemon.
The vulnerability can be exploited remotely by using carefully crafted
network
packets that are sent to the autofsd(1M) daemon.
The vulnerability can lead to a root compromise.
This vulnerability was reported by RSI.0010.10-02-98.IRIX.AUTOFSD:
http://www.repsec.com/advisory/0010.html
This vulnerability has been publicly discussed in Usenet newsgroups
and mailing lists.
- --------------------------
- --- Temporary Solution ---
- --------------------------
Although patches are available for this issue, it is realized that
there may be situations where installing the patches immediately may
not be possible.
The steps below can be used to disable the autofs(1M) daemon thereby
removing the vulnerability until patches can be installed.
=================
**** WARNING ****
=================
Disabling autofs(1M) daemon will prevent users from automatically
mounting remote file systems. The automount(1M) daemon can be used
as a temporary workaround. See the ONC3/NFS Administrator's Guide
which is available online from the insight program or via the web:
http://techpubs.sgi.com/library/
1) Become the root user on the system.
% /bin/su -
Password:
#
2) Verify autofs(1M) daemon is enabled.
# chkconfig
Flag State
==== =====
autofs on
3) Disable autofs(1M) daemon.
# chkconfig autofs off
4) Verify autofs(1M) daemon has been disabled.
# chkconfig
Flag State
==== =====
autofs off
5) Reboot the system
# reboot
- ----------------
- --- Solution ---
- ----------------
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x no Note 1
IRIX 4.x no Note 1
IRIX 5.0.x no Note 1
IRIX 5.1.x no Note 1
IRIX 5.2 no Note 1
IRIX 5.3 no Note 2
IRIX 6.0.x no Note 1
IRIX 6.1 no Note 1
IRIX 6.2 yes 3392 Note 2 & 3
IRIX 6.3 yes 3391 Note 2 & 3
IRIX 6.4 yes 3250 Note 2 & 3
IRIX 6.5 yes 6.5.2 Note 3 & 4
IRIX 6.5.1 yes 6.5.2 Note 3 & 4
IRIX 6.5.2 no Note 5
NOTES
1) Upgrade to currently supported IRIX operating system. See
http://support.sgi.com/news/irix2.html for more information.
2) This version of the IRIX operating system is in maintenance mode
and patches will no longer be produced when it retires. See
http://support.sgi.com/news/irix1.html for more information.
3) See "Temporary Solution" section.
4) IRIX 6.5.2 needs to be installed to remove this vulnerability.
5) If you have not received an IRIX 6.5.2 CD for IRIX 6.5, contact
your
SGI Support Provider or download the IRIX 6.5.2 Maintenance
Release
Stream from http://support.sgi.com/ or
ftp://patches.sgi.com/support/relstream/
Information about installing IRIX 6.5.2 can be found at:
http://support.sgi.com/6.5/installing.html
Patches are available via anonymous FTP and your service/support provider.
The primary SGI anonymous FTP site for security information and patches
is sgigate.sgi.com (204.94.209.1). Security information and patches can be
found in the ~ftp/security and ~ftp/patches directories, respectively.
For security and patch management reasons, ftp.sgi.com (mirror of sgigate)
lags
behind and does not do a real-time update of ~ftp/security and
~ftp/patches
##### Patch File Checksums ####
The actual patch will be a tar file containing the following files:
Filename: README.patch.3250
Algorithm #1 (sum -r): 07800 10 README.patch.3250
Algorithm #2 (sum): 1865 10 README.patch.3250
MD5 checksum: DC08AA3C9BE672E23BA7B98511A8AE64
Filename: patchSG0003250
Algorithm #1 (sum -r): 29714 4 patchSG0003250
Algorithm #2 (sum): 46399 4 patchSG0003250
MD5 checksum: 7CCCD06F9F9287FABB4C1F089540AB65
Filename: patchSG0003250.eoe_sw
Algorithm #1 (sum -r): 26654 25 patchSG0003250.eoe_sw
Algorithm #2 (sum): 54236 25 patchSG0003250.eoe_sw
MD5 checksum: 27672AF486D3789560E33AE368C244A1
Filename: patchSG0003250.idb
Algorithm #1 (sum -r): 29537 3 patchSG0003250.idb
Algorithm #2 (sum): 19316 3 patchSG0003250.idb
MD5 checksum: C8380CE292B058545E101A9C80F0EFC5
Filename: patchSG0003250.nfs_man
Algorithm #1 (sum -r): 15127 26 patchSG0003250.nfs_man
Algorithm #2 (sum): 4624 26 patchSG0003250.nfs_man
MD5 checksum: 03DBA9D1E4F287CE4282172355849234
Filename: patchSG0003250.nfs_sw
Algorithm #1 (sum -r): 45181 141 patchSG0003250.nfs_sw
Algorithm #2 (sum): 56554 141 patchSG0003250.nfs_sw
MD5 checksum: C52C4A858EB87C788DB53D6DDC37E9CC
Filename: README.patch.3391
Algorithm #1 (sum -r): 63933 11 README.patch.3391
Algorithm #2 (sum): 22537 11 README.patch.3391
MD5 checksum: 768EB3E6B5797DF1D7DB4506FDBCD1F0
Filename: patchSG0003391
Algorithm #1 (sum -r): 00828 5 patchSG0003391
Algorithm #2 (sum): 19000 5 patchSG0003391
MD5 checksum: 8BDF1FE22C2E52B93BD3A2D1199F7A0A
Filename: patchSG0003391.eoe_sw
Algorithm #1 (sum -r): 30886 31 patchSG0003391.eoe_sw
Algorithm #2 (sum): 45572 31 patchSG0003391.eoe_sw
MD5 checksum: CAB0A7DDCB89BD2547DA9A8A033A6BF3
Filename: patchSG0003391.idb
Algorithm #1 (sum -r): 49029 2 patchSG0003391.idb
Algorithm #2 (sum): 4863 2 patchSG0003391.idb
MD5 checksum: 58A03CEE1B17FAFCDBFBA27D8C5A5BA9
Filename: patchSG0003391.onc3_eoe_man
Algorithm #1 (sum -r): 54375 6 patchSG0003391.onc3_eoe_man
Algorithm #2 (sum): 55561 6 patchSG0003391.onc3_eoe_man
MD5 checksum: C884D4375D6B96502628ABC2253E5CB0
Filename: patchSG0003391.onc3_eoe_sw
Algorithm #1 (sum -r): 10211 129 patchSG0003391.onc3_eoe_sw
Algorithm #2 (sum): 11471 129 patchSG0003391.onc3_eoe_sw
MD5 checksum: 27714AED52EF96FAF1691760BF05E5C3
Filename: README.patch.3392
Algorithm #1 (sum -r): 31068 12 README.patch.3392
Algorithm #2 (sum): 10078 12 README.patch.3392
MD5 checksum: B120B48BD7DF8D681BC9A27FD01C65D0
Filename: patchSG0003392
Algorithm #1 (sum -r): 19916 6 patchSG0003392
Algorithm #2 (sum): 7998 6 patchSG0003392
MD5 checksum: 091E12D3B0EC7462CBFAD9BAA37AC7AE
Filename: patchSG0003392.eoe_sw
Algorithm #1 (sum -r): 41641 23 patchSG0003392.eoe_sw
Algorithm #2 (sum): 61503 23 patchSG0003392.eoe_sw
MD5 checksum: 0884FA51E7569BD1BD2B39D324322B87
Filename: patchSG0003392.idb
Algorithm #1 (sum -r): 33117 2 patchSG0003392.idb
Algorithm #2 (sum): 8644 2 patchSG0003392.idb
MD5 checksum: 54918E34BF30280A91F2731E328791AC
Filename: patchSG0003392.onc3_eoe_man
Algorithm #1 (sum -r): 63737 6 patchSG0003392.onc3_eoe_man
Algorithm #2 (sum): 55562 6 patchSG0003392.onc3_eoe_man
MD5 checksum: 041653A0488E9B543ACD105CC4F20CF3
Filename: patchSG0003392.onc3_eoe_sw
Algorithm #1 (sum -r): 42469 137 patchSG0003392.onc3_eoe_sw
Algorithm #2 (sum): 22631 137 patchSG0003392.onc3_eoe_sw
MD5 checksum: 1F61453E0E31C8117A2AA03C0F2662D6
______________________________________________________________________________
Silicon Graphics Inc. Security Advisory
Title: Vulnerability in IRIX fcagent daemon
Number: 19981201-01-PX
Date: December 10,1998
______________________________________________________________________________
Silicon Graphics provides this information freely to the SGI user
community
for its consideration, interpretation, implementation and use. Silicon
Graphics recommends that this information be acted upon as soon as
possible.
Silicon Graphics provides the information in this Security Advisory on
an "AS-IS" basis only, and disclaims all warranties with respect thereto,
express, implied or otherwise, including, without limitation, any warranty
of merchantability or fitness for a particular purpose. In no event shall
Silicon Graphics be liable for any loss of profits, loss of business, loss
of data or for any indirect, special, exemplary, incidental or
consequential
damages of any kind arising from your use of, failure to use or improper
use of any of the instructions or information in this Security Advisory.
______________________________________________________________________________
- -----------------------
- --- Issue Specifics ---
- -----------------------
The IRIX fcagent(1m) service is an RPC based daemon which is called to
service
requests about status or configuration of a FibreVault enclosure.
Unfortunately, a vulnerability in the fcagent(1m) daemon has been
discovered
which can lead to a denial of service that can disable the FibreVault.
Silicon Graphics Inc. has investigated the issue and recommends the
following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED
that these measures be implemented on ALL vulnerable SGI systems.
This issue has been corrected in future releases of IRIX.
- --------------
- --- Impact ---
- --------------
The fcagent(1m) daemon is installed by default on Origin and Onyx2
platforms
running IRIX 6.4 and higher.
A local user account on the vulnerable system is not required in order to
exploit the fcagent(1m) daemon.
The vulnerability can be exploited remotely by using carefully crafted RPC
packets that are sent to the fcagent(1m) daemon.
The vulnerability can be used to establish a denial of service rendering
the
FibreVault unavailable.
This vulnerability was discovered internally by SGI and is believe not to
have been publicly discussed outside of SGI.
- --------------------------
- --- Temporary Solution ---
- --------------------------
Although patches are available for this issue, it is realized that
there may be situations where installing the patches immediately may
not be possible.
The steps below can be used to disable the fcagent(1m) daemon thereby
removing the vulnerability until patches can be installed.
=================
**** WARNING ****
=================
Disabling the fcagent(1m) daemon will prevent configuration and
status monitoring of the FibreVault enclosure.
1) Become the root user on the system.
% /bin/su -
Password:
#
2) Verify fcagent(1m) daemon is enabled.
# chkconfig
Flag State
==== =====
fcagent on
3) Disable fcagent(1m) daemon.
# chkconfig fcagent off
4) Verify fcagent(1m) daemon has been disabled.
# chkconfig
Flag State
==== =====
fcagent off
5) Stop any currently running fcagent(1m) daemon.
# /etc/init.d/fcagent stop
6) Return to previous level.
# exit
%
- ----------------
- --- Solution ---
- ----------------
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x no Note 1
IRIX 4.x no Note 1
IRIX 5.0.x no Note 1
IRIX 5.1.x no Note 1
IRIX 5.2 no Note 1
IRIX 5.3 no Note 2
IRIX 6.0.x no Note 1
IRIX 6.1 no Note 1
IRIX 6.2 no
IRIX 6.3 no Note 2
IRIX 6.4 yes 3440 Note 2 & 3
IRIX 6.5 yes 6.5.2 Note 3 & 4
IRIX 6.5.1 yes 6.5.2 Note 3 & 4
IRIX 6.5.2 no Note 5
NOTES
1) Upgrade to currently supported IRIX operating system. See
http://support.sgi.com/news/irix2.html for more information.
2) This version of the IRIX operating system is in maintenance mode
and patches will no longer be produced when it retires. See
http://support.sgi.com/news/irix1.html for more information.
3) See "Temporary Solution" section.
4) IRIX 6.5.2 needs to be installed to remove this vulnerability.
5) If you have not received an IRIX 6.5.2 CD for IRIX 6.5, contact
your
SGI Support Provider or download the IRIX 6.5.2 Maintenance
Release
Stream from http://support.sgi.com/ or
ftp://patches.sgi.com/support/relstream/
Information about installing IRIX 6.5.2 can be found at:
http://support.sgi.com/6.5/installing.html
Patches are available via anonymous FTP and your service/support provider.
The primary SGI anonymous FTP site for security information and patches
is sgigate.sgi.com (204.94.209.1). Security information and patches can be
found in the ~ftp/security and ~ftp/patches directories, respectively.
For security and patch management reasons, ftp.sgi.com (mirror of sgigate)
lags
behind and does not do a real-time update of ~ftp/security and
~ftp/patches
##### Patch File Checksums ####
The actual patch will be a tar file containing the following files:
Filename: README.patch.3440
Algorithm #1 (sum -r): 04125 25 README.patch.3440
Algorithm #2 (sum): 27101 25 README.patch.3440
MD5 checksum: E24670EF4CAEC9FAA245D98F71BA10FD
Filename: patchSG0003440
Algorithm #1 (sum -r): 51443 6 patchSG0003440
Algorithm #2 (sum): 6348 6 patchSG0003440
MD5 checksum: 675AD6BEAB8C42B3EA1546A5007803F8
Filename: patchSG0003440.eoe_man
Algorithm #1 (sum -r): 23082 50 patchSG0003440.eoe_man
Algorithm #2 (sum): 38976 50 patchSG0003440.eoe_man
MD5 checksum: 4AD4D5A60D28FD2635CA424109652A5A
Filename: patchSG0003440.eoe_sw
Algorithm #1 (sum -r): 55220 1145 patchSG0003440.eoe_sw
Algorithm #2 (sum): 13442 1145 patchSG0003440.eoe_sw
MD5 checksum: 87A6651CA9A03767EA18BCEEBD689D1C
Filename: patchSG0003440.idb
Algorithm #1 (sum -r): 10193 12 patchSG0003440.idb
Algorithm #2 (sum): 27908 12 patchSG0003440.idb
MD5 checksum: 4CC99C3F82F35F989BEEBDBFC7C3C02A
Filename: patchSG0003440.irix_dev_gifts
Algorithm #1 (sum -r): 06478 6 patchSG0003440.irix_dev_gifts
Algorithm #2 (sum): 6724 6 patchSG0003440.irix_dev_gifts
MD5 checksum: AA15FAE1A7D6D95B16328C0C37951F3B