From agent99@sgi.com Sat Mar 30 01:02:46 2002 From: SGI Security Coordinator To: agent99@sgi.com Date: Thu, 28 Mar 2002 10:46:54 -0800 (PST) Subject: IRIX rpc/HOSTALIASES vulnerability -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SGI Security Advisory Title: IRIX rpc/HOSTALIASES vulnerability Number: 20020306-01-P Date: March 28, 2002 Reference: CVE CAN-2002-0039 RPC Reference: CVE CAN-2002-0040 HOSTALIASES ______________________________________________________________________________ - ----------------------- - --- Issue Specifics --- - ----------------------- It's been reported that certain malformed RPC requests with invalid lengths can cause portmap and rpcbind to report a Bus error and exit. Under some circumstances this can lead to a remote denial of service attack. SGI has also discovered a problem where, when the HOSTALIASES environment variable is set in a particular way, privileged applications that do name resolution can dump core. SGI has investigated the issues and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be implemented on ALL vulnerable SGI systems. These issues have been corrected in future releases of IRIX. - -------------- - --- Impact --- - -------------- The portmap binary is installed by default on IRIX 6.5 systems as part of eoe.sw.base. The rpcbind binary is installed as part of the optional eoe.sw.svr4net subsystem. To see if rpcbind is installed, execute the following command: $ versions long | grep rpcbind If the above command returns a line similar to the following, then rpcbind is installed. f 14263 113 eoe.sw.svr4net usr/etc/rpcbind These vulnerabilities may be exploited by a remote user, and no local account is required. Other RPC servers might be impacted. This RPC vulnerability can lead to a denial of service attack. For the RPC vulnerability, SGI assigned CVE CAN-2002-0039: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0039 The ability to set the HOSTALIASES environment variable is available on all versions of IRIX. This vulnerability was introduced in IRIX 6.5.11. For the HOSTALIASES vulnerability, SGI assigned CVE CAN-2002-0040: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0040 These vulnerabilities will be fixed in IRIX 6.5.16m and IRIX 6.5.16f. - ---------------------------- - --- Temporary Workaround --- - ---------------------------- There is no good workaround available for these problems. SGI recommends either upgrading to IRIX 6.5.16 when it is released, or installing the appropriate patch from the listing below. - ---------------- - --- Solution --- - ---------------- SGI has provided a series of patches for these vulnerabilities. Our recommendation is to upgrade to IRIX 6.5.16 when available, or install the appropriate patch. OS Version Vulnerable? Patch # Other Actions ---------- ----------- ------- ------------- IRIX 3.x unknown Note 1 IRIX 4.x unknown Note 1 IRIX 5.x unknown Note 1 IRIX 6.0.x unknown Note 1 IRIX 6.1 unknown Note 1 IRIX 6.2 unknown Note 1 IRIX 6.3 unknown Note 1 IRIX 6.4 unknown Note 1 IRIX 6.5 yes Notes 2 & 3 IRIX 6.5.1 yes Notes 2 & 3 IRIX 6.5.2 yes Notes 2 & 3 IRIX 6.5.3 yes Notes 2 & 3 IRIX 6.5.4 yes Notes 2 & 3 IRIX 6.5.5 yes Notes 2 & 3 IRIX 6.5.6 yes Notes 2 & 3 IRIX 6.5.7 yes Notes 2 & 3 IRIX 6.5.8 yes Notes 2 & 3 IRIX 6.5.9 yes Notes 2 & 3 IRIX 6.5.10 yes Notes 2 & 3 IRIX 6.5.11m yes 4508 IRIX 6.5.11f yes 4509 IRIX 6.5.12m yes 4506 IRIX 6.5.12f yes 4507 IRIX 6.5.13m yes 4504 IRIX 6.5.13f yes 4505 IRIX 6.5.14m yes 4502 IRIX 6.5.14f yes 4503 IRIX 6.5.15m yes 4500 IRIX 6.5.15f yes 4501 NOTES 1) This version of the IRIX operating has been retired. Upgrade to an actively supported IRIX operating system. See http://support.sgi.com/irix/news/index.html#policy for more information. 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/ 3) Upgrade to IRIX 6.5.16m or 6.5.16f. ##### Patch File Checksums #### The actual patch will be a tar file containing the following files: Filename: README.patch.4500 Algorithm #1 (sum -r): 24079 8 README.patch.4500 Algorithm #2 (sum): 27326 8 README.patch.4500 MD5 checksum: A683786B9C3B27966C5731EB6D91ED6D Filename: patchSG0004500 Algorithm #1 (sum -r): 30795 3 patchSG0004500 Algorithm #2 (sum): 30429 3 patchSG0004500 MD5 checksum: EBAABBFEDE71D506A3A90693E63553AA Filename: patchSG0004500.dev_sw Algorithm #1 (sum -r): 03174 2188 patchSG0004500.dev_sw Algorithm #2 (sum): 45745 2188 patchSG0004500.dev_sw MD5 checksum: 7C747C739A131E95AB48019EBF70EE99 Filename: patchSG0004500.eoe_sw Algorithm #1 (sum -r): 34927 12545 patchSG0004500.eoe_sw Algorithm #2 (sum): 15539 12545 patchSG0004500.eoe_sw MD5 checksum: 5DFCAB26FE0FD46D7FEEEA95C9FA89A9 Filename: patchSG0004500.eoe_sw64 Algorithm #1 (sum -r): 49216 5357 patchSG0004500.eoe_sw64 Algorithm #2 (sum): 31728 5357 patchSG0004500.eoe_sw64 MD5 checksum: 83A5BD01834586DE2D47547C3E1CCE67 Filename: patchSG0004500.idb Algorithm #1 (sum -r): 24179 5 patchSG0004500.idb Algorithm #2 (sum): 41622 5 patchSG0004500.idb MD5 checksum: 79208710902496D0C2AFD5DA2679C005 Filename: README.patch.4501 Algorithm #1 (sum -r): 45079 8 README.patch.4501 Algorithm #2 (sum): 27296 8 README.patch.4501 MD5 checksum: A1EA9F724C92F153F725DDF207623D23 Filename: patchSG0004501 Algorithm #1 (sum -r): 47093 3 patchSG0004501 Algorithm #2 (sum): 33316 3 patchSG0004501 MD5 checksum: 8E1626682DA0D460928C43576878788A Filename: patchSG0004501.dev_sw Algorithm #1 (sum -r): 19202 2231 patchSG0004501.dev_sw Algorithm #2 (sum): 63352 2231 patchSG0004501.dev_sw MD5 checksum: EEF04B8866F492EDC81A0BB7DA0069F4 Filename: patchSG0004501.eoe_sw Algorithm #1 (sum -r): 22992 12815 patchSG0004501.eoe_sw Algorithm #2 (sum): 46143 12815 patchSG0004501.eoe_sw MD5 checksum: 6D4F8FC17A5761419E3092DC5AAF90E1 Filename: patchSG0004501.eoe_sw64 Algorithm #1 (sum -r): 43705 5430 patchSG0004501.eoe_sw64 Algorithm #2 (sum): 25933 5430 patchSG0004501.eoe_sw64 MD5 checksum: B8393ECB1F56CC2C2560DB58BDC33924 Filename: patchSG0004501.idb Algorithm #1 (sum -r): 15890 5 patchSG0004501.idb Algorithm #2 (sum): 41638 5 patchSG0004501.idb MD5 checksum: 179DFD2D032C7C09FAC04469603918BE Filename: README.patch.4502 Algorithm #1 (sum -r): 61767 8 README.patch.4502 Algorithm #2 (sum): 43491 8 README.patch.4502 MD5 checksum: 96E66C646AB21364DBCC1B12C4C22775 Filename: patchSG0004502 Algorithm #1 (sum -r): 63206 4 patchSG0004502 Algorithm #2 (sum): 46494 4 patchSG0004502 MD5 checksum: 5CDB32A5E5E9D5A9AEFFDB7D32139888 Filename: patchSG0004502.dev_sw Algorithm #1 (sum -r): 41925 2510 patchSG0004502.dev_sw Algorithm #2 (sum): 35693 2510 patchSG0004502.dev_sw MD5 checksum: 477A96DBC30614CC2C234E904DE000C8 Filename: patchSG0004502.eoe_sw Algorithm #1 (sum -r): 58943 13293 patchSG0004502.eoe_sw Algorithm #2 (sum): 16100 13293 patchSG0004502.eoe_sw MD5 checksum: 6CDC90BA8664EC209F450C47D7BEFB83 Filename: patchSG0004502.eoe_sw64 Algorithm #1 (sum -r): 22306 5389 patchSG0004502.eoe_sw64 Algorithm #2 (sum): 34583 5389 patchSG0004502.eoe_sw64 MD5 checksum: 204A30A5DFB027E3F659E1B5F877F208 Filename: patchSG0004502.idb Algorithm #1 (sum -r): 40474 6 patchSG0004502.idb Algorithm #2 (sum): 5990 6 patchSG0004502.idb MD5 checksum: ED965E75369CA59EF1F4D96D44F171D4 Filename: README.patch.4503 Algorithm #1 (sum -r): 31520 8 README.patch.4503 Algorithm #2 (sum): 43480 8 README.patch.4503 MD5 checksum: 078EACF3A40477621DD14B83B744FB64 Filename: patchSG0004503 Algorithm #1 (sum -r): 41058 4 patchSG0004503 Algorithm #2 (sum): 48844 4 patchSG0004503 MD5 checksum: 6288DDDD3FB174CDED54B0882111C0AB Filename: patchSG0004503.dev_sw Algorithm #1 (sum -r): 59401 2557 patchSG0004503.dev_sw Algorithm #2 (sum): 58909 2557 patchSG0004503.dev_sw MD5 checksum: 0B4A034E3855F126607925138A88D634 Filename: patchSG0004503.eoe_sw Algorithm #1 (sum -r): 50172 13552 patchSG0004503.eoe_sw Algorithm #2 (sum): 7914 13552 patchSG0004503.eoe_sw MD5 checksum: E2CAC9B39C6B623DDE4E3B4BA9007305 Filename: patchSG0004503.eoe_sw64 Algorithm #1 (sum -r): 57468 5460 patchSG0004503.eoe_sw64 Algorithm #2 (sum): 14673 5460 patchSG0004503.eoe_sw64 MD5 checksum: DA33A1EEEB7F9843960E83CA82808719 Filename: patchSG0004503.idb Algorithm #1 (sum -r): 11027 6 patchSG0004503.idb Algorithm #2 (sum): 5930 6 patchSG0004503.idb MD5 checksum: 90A62A9495602B37DB8D861F231E1F99 Filename: README.patch.4504 Algorithm #1 (sum -r): 36178 8 README.patch.4504 Algorithm #2 (sum): 33791 8 README.patch.4504 MD5 checksum: 8303F1AD3ED3976E59056F555551FE60 Filename: patchSG0004504 Algorithm #1 (sum -r): 61420 3 patchSG0004504 Algorithm #2 (sum): 31450 3 patchSG0004504 MD5 checksum: 362BCE1D6C14BF09D7E3E9CA9CD46570 Filename: patchSG0004504.dev_sw Algorithm #1 (sum -r): 02610 2504 patchSG0004504.dev_sw Algorithm #2 (sum): 19583 2504 patchSG0004504.dev_sw MD5 checksum: 94DAF79913BC9096491F22B2C134E3F1 Filename: patchSG0004504.eoe_sw Algorithm #1 (sum -r): 25778 13234 patchSG0004504.eoe_sw Algorithm #2 (sum): 50294 13234 patchSG0004504.eoe_sw MD5 checksum: EE501FA54D3C45277854610A7190248A Filename: patchSG0004504.eoe_sw64 Algorithm #1 (sum -r): 58822 5362 patchSG0004504.eoe_sw64 Algorithm #2 (sum): 13520 5362 patchSG0004504.eoe_sw64 MD5 checksum: AED8EA3CA764F0A99FE2B8E29BCCB115 Filename: patchSG0004504.idb Algorithm #1 (sum -r): 47532 6 patchSG0004504.idb Algorithm #2 (sum): 15537 6 patchSG0004504.idb MD5 checksum: D31CA254B6E82F0C342BDE6CACF1FED6 Filename: README.patch.4505 Algorithm #1 (sum -r): 39733 8 README.patch.4505 Algorithm #2 (sum): 33812 8 README.patch.4505 MD5 checksum: AD47384B82D169B49CE12303A41A360C Filename: patchSG0004505 Algorithm #1 (sum -r): 31469 5 patchSG0004505 Algorithm #2 (sum): 16698 5 patchSG0004505 MD5 checksum: 15FEC3792008A05787DC3B98554A41CB Filename: patchSG0004505.dev_sw Algorithm #1 (sum -r): 64128 2547 patchSG0004505.dev_sw Algorithm #2 (sum): 10024 2547 patchSG0004505.dev_sw MD5 checksum: 943A4F5B51A2F07E8AD770A7479CF4B8 Filename: patchSG0004505.eoe_sw Algorithm #1 (sum -r): 43494 13491 patchSG0004505.eoe_sw Algorithm #2 (sum): 8431 13491 patchSG0004505.eoe_sw MD5 checksum: D329BCECF1690BF210A3554139725D90 Filename: patchSG0004505.eoe_sw64 Algorithm #1 (sum -r): 50845 5436 patchSG0004505.eoe_sw64 Algorithm #2 (sum): 17771 5436 patchSG0004505.eoe_sw64 MD5 checksum: 70AF995506C97CF26C12990CCCE2B6D2 Filename: patchSG0004505.idb Algorithm #1 (sum -r): 13816 6 patchSG0004505.idb Algorithm #2 (sum): 15327 6 patchSG0004505.idb MD5 checksum: 014FE84C8C4A2CFD04DE66BC97F09511 Filename: README.patch.4506 Algorithm #1 (sum -r): 50579 8 README.patch.4506 Algorithm #2 (sum): 33826 8 README.patch.4506 MD5 checksum: B8166901D33D76F814BC94D18154B5A0 Filename: patchSG0004506 Algorithm #1 (sum -r): 64670 3 patchSG0004506 Algorithm #2 (sum): 30670 3 patchSG0004506 MD5 checksum: FE025CB008F18E42EC367CB16B69C051 Filename: patchSG0004506.dev_sw Algorithm #1 (sum -r): 27952 2509 patchSG0004506.dev_sw Algorithm #2 (sum): 29860 2509 patchSG0004506.dev_sw MD5 checksum: B190605FED31A3CA54C7CEF6C26FB9D9 Filename: patchSG0004506.eoe_sw Algorithm #1 (sum -r): 43323 13227 patchSG0004506.eoe_sw Algorithm #2 (sum): 57798 13227 patchSG0004506.eoe_sw MD5 checksum: CA584A50AA9C35130654DE5D7328F795 Filename: patchSG0004506.eoe_sw64 Algorithm #1 (sum -r): 07348 5380 patchSG0004506.eoe_sw64 Algorithm #2 (sum): 4938 5380 patchSG0004506.eoe_sw64 MD5 checksum: 0D4F185B6B401E4CE372D55CC71A4D83 Filename: patchSG0004506.idb Algorithm #1 (sum -r): 52549 6 patchSG0004506.idb Algorithm #2 (sum): 15396 6 patchSG0004506.idb MD5 checksum: 94A02FA34BC8E20BD4B78167057F2A10 Filename: README.patch.4507 Algorithm #1 (sum -r): 39614 8 README.patch.4507 Algorithm #2 (sum): 33811 8 README.patch.4507 MD5 checksum: F8EB223D3A6A0F5E177892184EC722DD Filename: patchSG0004507 Algorithm #1 (sum -r): 14189 3 patchSG0004507 Algorithm #2 (sum): 34606 3 patchSG0004507 MD5 checksum: B5B163DFAE2E0A33C24682292C86E37E Filename: patchSG0004507.dev_sw Algorithm #1 (sum -r): 06124 2559 patchSG0004507.dev_sw Algorithm #2 (sum): 53183 2559 patchSG0004507.dev_sw MD5 checksum: B44C0334269E351C65A70530AE6D506A Filename: patchSG0004507.eoe_sw Algorithm #1 (sum -r): 46017 13503 patchSG0004507.eoe_sw Algorithm #2 (sum): 28729 13503 patchSG0004507.eoe_sw MD5 checksum: 869FE8F896DF76B6D1E587177AA114FA Filename: patchSG0004507.eoe_sw64 Algorithm #1 (sum -r): 50938 5444 patchSG0004507.eoe_sw64 Algorithm #2 (sum): 19744 5444 patchSG0004507.eoe_sw64 MD5 checksum: 9D812AB3F239D1FB61AE7F055C20388A Filename: patchSG0004507.idb Algorithm #1 (sum -r): 27055 6 patchSG0004507.idb Algorithm #2 (sum): 15521 6 patchSG0004507.idb MD5 checksum: 24DCC11912C6319757A84D0B6071CDBF Filename: README.patch.4508 Algorithm #1 (sum -r): 00387 8 README.patch.4508 Algorithm #2 (sum): 33841 8 README.patch.4508 MD5 checksum: B09F1D028A5267B80306F73B03292DB6 Filename: patchSG0004508 Algorithm #1 (sum -r): 40393 3 patchSG0004508 Algorithm #2 (sum): 33728 3 patchSG0004508 MD5 checksum: AE4A4145B5BA3D35D49C34A088AF0BEB Filename: patchSG0004508.dev_sw Algorithm #1 (sum -r): 33417 2654 patchSG0004508.dev_sw Algorithm #2 (sum): 47482 2654 patchSG0004508.dev_sw MD5 checksum: FCDDD28A3C08F666648B9E1C686DEEC8 Filename: patchSG0004508.eoe_sw Algorithm #1 (sum -r): 14173 14692 patchSG0004508.eoe_sw Algorithm #2 (sum): 9192 14692 patchSG0004508.eoe_sw MD5 checksum: CE798D2EAAC0FAC9627FA9432192E6A5 Filename: patchSG0004508.eoe_sw64 Algorithm #1 (sum -r): 31321 5994 patchSG0004508.eoe_sw64 Algorithm #2 (sum): 49296 5994 patchSG0004508.eoe_sw64 MD5 checksum: EFEDFCFC1AD278C467EDF956737EA9AA Filename: patchSG0004508.idb Algorithm #1 (sum -r): 22577 6 patchSG0004508.idb Algorithm #2 (sum): 15558 6 patchSG0004508.idb MD5 checksum: 6003104A09DF694B13FF5631839C215F Filename: README.patch.4509 Algorithm #1 (sum -r): 05430 8 README.patch.4509 Algorithm #2 (sum): 33822 8 README.patch.4509 MD5 checksum: 89B6CD8F31CE920DFA104CF8AEAC265A Filename: patchSG0004509 Algorithm #1 (sum -r): 27722 3 patchSG0004509 Algorithm #2 (sum): 36836 3 patchSG0004509 MD5 checksum: 5E8ACCF0A373C52553F973CC3C15A124 Filename: patchSG0004509.dev_sw Algorithm #1 (sum -r): 14401 2700 patchSG0004509.dev_sw Algorithm #2 (sum): 11066 2700 patchSG0004509.dev_sw MD5 checksum: 094C4E9E85A8A5D449D0B61EAC46A769 Filename: patchSG0004509.eoe_sw Algorithm #1 (sum -r): 54260 14894 patchSG0004509.eoe_sw Algorithm #2 (sum): 6168 14894 patchSG0004509.eoe_sw MD5 checksum: A6DF1F423E520F822B022826B6B540FB Filename: patchSG0004509.eoe_sw64 Algorithm #1 (sum -r): 49494 6105 patchSG0004509.eoe_sw64 Algorithm #2 (sum): 10081 6105 patchSG0004509.eoe_sw64 MD5 checksum: 832D5409FF4A05DD85E8866822442066 Filename: patchSG0004509.idb Algorithm #1 (sum -r): 05704 6 patchSG0004509.idb Algorithm #2 (sum): 15503 6 patchSG0004509.idb MD5 checksum: 9D2C107940C3862744B328F16A8E6338 - ------------------------ - --- Acknowledgments ---- - ------------------------ SGI wishes to thank FIRST and the users of the Internet Community at large for their assistance in this matter. - ------------- - --- Links --- - ------------- SGI Security Advisories can be found at: http://www.sgi.com/support/security/ and ftp://patches.sgi.com/support/free/security/advisories/ SGI Security Patches can be found at: http://www.sgi.com/support/security/ and ftp://patches.sgi.com/support/free/security/patches/ SGI patches for IRIX can be found at the following patch servers: http://support.sgi.com/irix/ and ftp://patches.sgi.com/ SGI freeware updates for IRIX can be found at: http://freeware.sgi.com/ SGI fixes for SGI open sourced code can be found on: http://oss.sgi.com/projects/ SGI patches and RPMs for Linux can be found at: http://support.sgi.com/linux/ or http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/ SGI patches for Windows NT or 2000 can be found at: http://support.sgi.com/nt/ IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at: http://support.sgi.com/irix/ and ftp://patches.sgi.com/support/patchset/ IRIX 6.5 Maintenance Release Streams can be found at: http://support.sgi.com/colls/patches/tools/relstream/index.html IRIX 6.5 Software Update CDs can be obtained from: http://support.sgi.com/irix/swupdates/ The primary SGI anonymous FTP site for security advisories and patches is patches.sgi.com (216.32.174.211). Security advisories and patches are located under the URL ftp://patches.sgi.com/support/free/security/ For security and patch management reasons, ftp.sgi.com (mirrors patches.sgi.com security FTP repository) lags behind and does not do a real-time update. - ----------------------------------------- - --- SGI Security Information/Contacts --- - ----------------------------------------- If there are questions about this document, email can be sent to security-info@sgi.com. ------oOo------ SGI provides security information and patches for use by the entire SGI community. This information is freely available to any person needing the information and is available via anonymous FTP and the Web. The primary SGI anonymous FTP site for security advisories and patches is patches.sgi.com (216.32.174.211). Security advisories and patches are located under the URL ftp://patches.sgi.com/support/free/security/ The SGI Security Headquarters Web page is accessible at the URL: http://www.sgi.com/support/security/ For issues with the patches on the FTP sites, email can be sent to security-info@sgi.com. For assistance obtaining or working with security patches, please contact your SGI support provider. ------oOo------ SGI provides a free security mailing list service called wiretap and encourages interested parties to self-subscribe to receive (via email) all SGI Security Advisories when they are released. Subscribing to the mailing list can be done via the Web (http://www.sgi.com/support/security/wiretap.html) or by sending email to SGI as outlined below. % mail wiretap-request@sgi.com subscribe wiretap end ^d In the example above, is the email address that you wish the mailing list information sent to. The word end must be on a separate line to indicate the end of the body of the message. The control-d (^d) is used to indicate to the mail program that you are finished composing the mail message. ------oOo------ SGI provides a comprehensive customer World Wide Web site. This site is located at http://www.sgi.com/support/security/ . ------oOo------ If there are general security questions on SGI systems, email can be sent to security-info@sgi.com. For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com or contact your SGI support provider. A support contract is not required for submitting a security report. ______________________________________________________________________________ This information is provided freely to all interested parties and may be redistributed provided that it is not altered in any way, SGI is appropriately credited and the document retains and includes its valid PGP signature. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBPKNfhbQ4cFApAP75AQG96gP/U/Vp7UpgFROX0quK3uIDXL4EAbWdSLc5 o69Z0qdFAsEJMdeesZSVATBWu6VsVe0G4HtwhbRmZ1RAfo6Ju30M0lhCqAv37Ime jgIyjVBDEoiHAgrUOEFA4oOyEhWHDst2RDGwMRXEcysJqwquD4HGTDZSPR3IQXec zW6myFYPzrs= =f2sg -----END PGP SIGNATURE-----