Date: 06 Oct 1994 16:05:26 -0400 (EDT) From: Ron Tencati +1-301-441-4081 Subject: NASIRC BULLETIN #94-32: Security Vulnerability in SGI IRIX serial_ports Sender: first-request@csrc.ncsl.nist.GOV To: first-teams@first.ORG Cc: TENCATI@nssdca.gsfc.nasa.GOV Reply-to: Ron Tencati +1-301-441-4081 Organization: FIRST, the Forum of Incident Response & Security Teams Sub-Organization: FIRST Secretariat X-Sequence: first-teams.0522 [Since this was already reported by CIAC, NASIRC did not circulate a pre-release draft] NASIRC BULLETIN #94-32 October 6, 1994 Security Vulnerability in SGI IRIX serial_ports =========================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================== NASIRC recently received information about a security vulnerability in /usr/lib/vadmin/serial_ports which can allow unauthorized users to gain root privileges. A script to exploit this vulnerability has been widely distributed on the Internet (most notably to the "bugtraq" and "firewalls" lists), making it imperative that the fix described below be carried out as soon as possible. SYSTEMS AFFECTED: Silicon Graphics, Inc. (SGI) systems running IRIX vers. 4.X or 5.X. THE PROBLEM: The privileges assigned to the program /usr/lib/vadmin/serial_ports can be employed by unauthorized users to gain root privileges. More information is available from your SGI representative. SGI has requested that their internal Advisory number be used when referring to this vulnerability; it is 19941001-01-P. THE FIX: Changing the permissions on /usr/lib/vadmin/serial_ports should block exploitation of this vulnerability. On systems running IRIX 4.X --------------------------- The serial_ports program is only used to configure serial communica- tion ports; changing its permissions should *not* affect the overall system functionality. With root privileges, issue the following com- mand: /bin/chmod 700 /usr/lib/vadmin/serial_ports On systems running IRIX 5.X --------------------------- The serial_ports program is NOT used under version 5.X of IRIX. (It has been replaced by /usr/Cadmin/bin/cports, which does NOT have this vulnerability.) However, because it may remain on the system after an upgrade from 4.X, the vulnerability may still be present. If your system is running version 5.X of IRIX, you should delete the /usr/lib/vadmin/serial_ports file if it is present (just use the "ls" command in the /usr/lib/vadmin directory to see if it is there). NASIRC will continue to monitor this situation and will post additional information should it become necessary. If you have any questions about this bulletin, please contact NASIRC via any of the venues below. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NASIRC ACKNOWLEDGES: The Department of Energy's Computer Incident Advisory Capability (CIAC) team for distributing this information to us, and to the AUSCERT team and Silicon Graphics, Inc. for their rapid response. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =============================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-441-1853 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056 STU III: 1-301-982-5480 =============================================================== This bulletin may be forwarded without restriction to sites and system administrators within the NASA community. The NASIRC online archive system is available via anonymous ftp. You will be required to enter your valid e-mail address as the "password". Once on the system, you can access the following information: ~/bulletins ! contains NASIRC bulletins ~/information ! contains various informational files ~/toolkits ! contains automated toolkit software The contents of these directories is updated on a continuous basis with relevant software and information; contact the NASIRC Helpdesk for more information or assistance. ----------------- PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organiza- tion which provides for coordination between incident response teams in handling computer-security-related issues. You can obtain a list of FIRST member organizations and their constituencies by sending email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts".