************************************************************************** Security Bulletin 9424 DISA Defense Communications System August 23, 1994 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9302). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DDN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= CA-94:13 CERT Advisory August 11, 1994 SGI IRIX Help Vulnerability ----------------------------------------------------------------------------- The CERT Coordination Center has received information about a vulnerability in the Silicon Graphics, Inc. IRIX operating system, versions 5.1.x and 5.2. This vulnerability enables users to gain unauthorized root access. To exploit the vulnerability, a person must log into an account on the system or have physical access to the system console. SGI has developed a patch for the vulnerability. Because the vulnerability has been widely discussed in public forums on the Internet, we recommend that you install the patch as soon as possible. Section III below contains instructions for obtaining the patch, along with a workaround you can use until you install it. As we receive additional information relating to this advisory, we will place it, along with any clarifications, in a CA-94:13.README file. CERT advisories and their associated README files are available by anonymous FTP from info.cert.org. We encourage you to check the README files regularly for updates on advisories that relate to your site. ----------------------------------------------------------------------------- I. Description A vulnerability exists in the SGI help system and print manager, enabling users to get unauthorized root access if they can log into an account on the system or get physical access to the system console. The vulnerability is present in the SGI IRIX operating system, versions 5.1.x and 5.2. SGI reports that the problem will be permanently corrected in a future release of IRIX. In public discussions, the vulnerability has been referred to by various names, including clogin, printer manager, and SGI Help. II. Impact Individuals with accounts on the system or physical access to the system console can obtain root access. III. Solutions A. For IRIX 5.2 If you are running IRIX 5.2, obtain and install patch65 according to the instructions provided. These instructions can be found in the "relnotes.patchSG0000065" file in the patch65.tar file (see below). To install this patch successfully, you need to have the latest SGI "inst" program installed (this is available as patch00 or patch34). SGI has provided instructions for determining if the new install program is on your system. We have placed these in an appendix at the end of this advisory. These patches are available by anonymous FTP from ftp.sgi.com and from sgigate.sgi.com in the "/security" directory. Filename patch65.tar Standard Unix Sum 63059 1220 System V Sum 15843 2440 MD5 af8c120f86daab9df74998b31927e397 Filename patch34.tar.Z Standard Unix Sum 11066 15627 System V Sum 1674 31253 MD5 2859d0debff715c5beaccd02b6bebded Patches are available on CD. Contact your nearest SGI service provider for distribution. B. For IRIX 5.1.x If you are running versions 5.1.x, SGI recommends that you upgrade to version 5.2, if possible, and then follow the instructions in Section III.A. above. If you cannot upgrade to 5.2, see the workaround instructions in III.C. C. Workaround If you cannot install the patches or are delayed in obtaining them, SGI recommends removing the help subsystem using the following command (as root): # versions remove sgihelp.sw.eoe PLEASE NOTE: Removal of this subsystem will affect other installed software that use the SGI Help system. After the removal, certain help functions from within applications will return non-fatal error messages about the missing subsystem. At a later date, when the patch can be installed on the system, you will need to re-install the previously removed SGI Help software prior to installing patch65. This can be found on your original software distribution (CD labeled as IRIX 5.2). As root, use the command: # inst -f /CDROM/dist/sgihelp Inst> install sgihelp.sw.eoe Inst> go The installation documentation provides further information. --------------------------------------------------------------------------- The CERT Coordination Center wishes to thank Silicon Graphics, Inc., for their cooperation in responding to this problem and members of the AUSCERT and CIAC response teams for their contributions to this advisory. --------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in Forum of Incident Response and Security Teams (FIRST). If you wish to send sensitive incident or vulnerability information to CERT via electronic mail, CERT strongly advises that the e-mail be encrypted. CERT can support a shared DES key, PGP (public key available via anonymous FTP on info.cert.org), or PEM (contact CERT for details). Internet E-mail: cert@cert.org Telephone: 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 USA Past advisories, information about FIRST representatives, and other information related to computer security are available for anonymous FTP from info.cert.org. CA-94:13.README Issue Date: August 11, 1994 Revision Date: August 11, 1994 There are three patches related to this issue - patch00, patch34, and patch65. Patch34 is an update to patch00 which modifies the "inst" program to be able to handle patch updates. At least one of patch00 or patch34 is required to be installed before installing patch65. To determine if the new inst program is already installed on your system, the following command can be issued: # versions patch\* I = Installed, R = Removed Name Date Description I patchSG0000034 08/10/94 Patch SG0000034 I patchSG0000034.eoe1_sw 08/10/94 IRIX Execution Environment Software I patchSG0000034.eoe1_sw.unix 08/10/94 IRIX Execution Environment If patchSG0000000 or patchSG0000034 (as seen above) is loaded, then it is only necessary to download patch65 as described in the advisory. This is important since patch34 is rather large (16MB). Otherwise, download both patch34 and patch65. Install patch34 first, then patch65. To install patch34, uncompress and untar "patch34.tar.Z" and follow the instructions in the "README.FIRST" file. These patches are available by anonymous FTP from ftp.sgi.com in the "security" directory: Standard System V MD5 Unix Unix Digital Signature patch34.tar.Z: 11066 15627 1674 31253 2859d0debff715c5beaccd02b6bebded patch65.tar: 63059 1220 15843 2440 af8c120f86daab9df74998b31927e397 **************************************************************************** * * * The point of contact for MILNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Many users outside of the DOD computing communities receive DDN Security bulletins. If you are not part of DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.