From agent99@sgi.com Sat Nov 9 20:36:49 2002 From: SGI Security Coordinator To: agent99@sgi.com Newsgroups: comp.sys.sgi.announce, comp.security.unix, comp.sys.sgi.admin, comp.security.announce Date: Thu, 7 Nov 2002 16:12:01 -0800 Subject: Potential Denial of Service Vulnerability in IRIX RPC-based libc -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SGI Security Advisory Title : Potential Denial of Service Vulnerability in RPC-based libc Number : 20021103-01-P Date : November 7, 2002 Reference: CERT VU#266817 Reference: CVE CAN-2002-1265 Reference: SGI BUGS 852333 and 871325 Fixed in : IRIX 6.5.18 Fixed in : SGI PATCHES 4838, 4839, 4842, 4843, 4840, 4845, 4841, and 4846 ______________________________________________________________________________ - ----------------------- - --- Issue Specifics --- - ----------------------- It's been reported that SGI IRIX's Sun RPC-based libc implementation fails to provide an adequate time-out mechanism when reading data from TCP connections. As a result, a remote attacker can deny service to system daemons. See http://www.kb.cert.org/vuls/id/266817 for additional details. This vulnerability has been assigned the following CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1265 SGI has investigated the issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be implemented on ALL vulnerable SGI systems. These issues have been corrected with patches and in IRIX 6.5.18. - -------------- - --- Impact --- - -------------- The libc library is installed by default on IRIX 6.5 systems as part of eoe.sw.base. To determine the version of IRIX you are running, execute the following command: # /bin/uname -R That will return a result similar to the following: # 6.5 6.5.16f The first number ("6.5") is the release name, the second ("6.5.16f" in this case) is the extended release name. The extended release name is the "version" we refer to throughout this document. - ---------------------------- - --- Temporary Workaround --- - ---------------------------- Apart from not running Sun RPC services, there is no effective workaround available for this vulnerability. SGI recommends either upgrading to IRIX 6.5.18 or later, or installing the appropriate patch from the listing below. - ---------------- - --- Solution --- - ---------------- SGI has provided a series of patches for these vulnerabilities. Our recommendation is to upgrade to IRIX 6.5.18 or later, or install the appropriate patch. OS Version Vulnerable? Patch # Other Actions ---------- ----------- ------- ------------- IRIX 3.x unknown Note 1 IRIX 4.x unknown Note 1 IRIX 5.x unknown Note 1 IRIX 6.0.x unknown Note 1 IRIX 6.1 unknown Note 1 IRIX 6.2 unknown Note 1 IRIX 6.3 unknown Note 1 IRIX 6.4 unknown Note 1 IRIX 6.5 yes Notes 2 & 3 IRIX 6.5.1 yes Notes 2 & 3 IRIX 6.5.2 yes Notes 2 & 3 IRIX 6.5.3 yes Notes 2 & 3 IRIX 6.5.4 yes Notes 2 & 3 IRIX 6.5.5 yes Notes 2 & 3 IRIX 6.5.6 yes Notes 2 & 3 IRIX 6.5.7 yes Notes 2 & 3 IRIX 6.5.8 yes Notes 2 & 3 IRIX 6.5.9 yes Notes 2 & 3 IRIX 6.5.10 yes Notes 2 & 3 IRIX 6.5.11 yes Notes 2 & 3 IRIX 6.5.12 yes Notes 2 & 3 IRIX 6.5.13 yes Notes 2 & 3 IRIX 6.5.14m yes 4838 Notes 2 & 3 IRIX 6.5.14f yes 4839 Notes 2 & 3 IRIX 6.5.15m yes 4842 Notes 2 & 3 IRIX 6.5.15f yes 4843 Notes 2 & 3 IRIX 6.5.16m yes 4840 Notes 2 & 3 IRIX 6.5.16f yes 4845 Notes 2 & 3 IRIX 6.5.17m yes 4841 Notes 2 & 3 IRIX 6.5.17f yes 4846 Notes 2 & 3 IRIX 6.5.18 no NOTES 1) This version of the IRIX operating has been retired. Upgrade to an actively supported IRIX operating system. See http://support.sgi.com/irix/news/index.html#policy for more information. 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/ IRIX Maintenance releases can be downloaded from: http://support.sgi.com/colls/patches/tools/relstream/index.html 3) Upgrade to IRIX 6.5.18 or later. ##### Patch File Checksums #### The actual patch will be a tar file containing the following files: Filename: README.patch.4838 Algorithm #1 (sum -r): 19885 9 README.patch.4838 Algorithm #2 (sum): 13097 9 README.patch.4838 MD5 checksum: 7078E8BE364B66AD17884D5945DC4CB9 Filename: patchSG0004838 Algorithm #1 (sum -r): 24098 8 patchSG0004838 Algorithm #2 (sum): 6796 8 patchSG0004838 MD5 checksum: 6F0A4437FA7FEDCB9FBA2F71BF809241 Filename: patchSG0004838.dev_sw Algorithm #1 (sum -r): 17117 2818 patchSG0004838.dev_sw Algorithm #2 (sum): 18437 2818 patchSG0004838.dev_sw MD5 checksum: FED63E719498CA1B3AD8615A9568CC2D Filename: patchSG0004838.eoe_sw Algorithm #1 (sum -r): 30194 14114 patchSG0004838.eoe_sw Algorithm #2 (sum): 41513 14114 patchSG0004838.eoe_sw MD5 checksum: 98573E1526D6C9675ED8108769D4F385 Filename: patchSG0004838.eoe_sw64 Algorithm #1 (sum -r): 43406 5399 patchSG0004838.eoe_sw64 Algorithm #2 (sum): 32065 5399 patchSG0004838.eoe_sw64 MD5 checksum: DA06569D206C45411DEF7E0C5818204E Filename: patchSG0004838.idb Algorithm #1 (sum -r): 51210 9 patchSG0004838.idb Algorithm #2 (sum): 24509 9 patchSG0004838.idb MD5 checksum: 99F8DFD00B6093E6B13D3101522B162A Filename: patchSG0004838.nfs_sw Algorithm #1 (sum -r): 12748 116 patchSG0004838.nfs_sw Algorithm #2 (sum): 12251 116 patchSG0004838.nfs_sw MD5 checksum: D1230952ADBB05C53AF20138EFF3690A Filename: README.patch.4839 Algorithm #1 (sum -r): 14005 9 README.patch.4839 Algorithm #2 (sum): 13201 9 README.patch.4839 MD5 checksum: 46A8E945CBCC8BCA46FF7FD9D1EA6910 Filename: patchSG0004839 Algorithm #1 (sum -r): 34628 8 patchSG0004839 Algorithm #2 (sum): 10416 8 patchSG0004839 MD5 checksum: 5977417007A971698B094DF1B817FB6F Filename: patchSG0004839.dev_sw Algorithm #1 (sum -r): 41960 2875 patchSG0004839.dev_sw Algorithm #2 (sum): 39191 2875 patchSG0004839.dev_sw MD5 checksum: 2A67C5A6F62548AFFEFA8589DD64AF27 Filename: patchSG0004839.eoe_sw Algorithm #1 (sum -r): 42870 14337 patchSG0004839.eoe_sw Algorithm #2 (sum): 61013 14337 patchSG0004839.eoe_sw MD5 checksum: 348F4806AB2030B734354E9DBB7A7416 Filename: patchSG0004839.eoe_sw64 Algorithm #1 (sum -r): 27069 5458 patchSG0004839.eoe_sw64 Algorithm #2 (sum): 53826 5458 patchSG0004839.eoe_sw64 MD5 checksum: D5C1FB6A8B3FE06DEC02E884DA92FB50 Filename: patchSG0004839.idb Algorithm #1 (sum -r): 25993 10 patchSG0004839.idb Algorithm #2 (sum): 48707 10 patchSG0004839.idb MD5 checksum: A02EA03F18092C44F80DD4BCA8B96A34 Filename: patchSG0004839.nfs_sw Algorithm #1 (sum -r): 07622 116 patchSG0004839.nfs_sw Algorithm #2 (sum): 17748 116 patchSG0004839.nfs_sw MD5 checksum: 8708378B609033A8341B717CC5008BD1 Filename: README.patch.4840 Algorithm #1 (sum -r): 20515 9 README.patch.4840 Algorithm #2 (sum): 58541 9 README.patch.4840 MD5 checksum: 3D64AB943625700D8A7D17DA984EE552 Filename: patchSG0004840 Algorithm #1 (sum -r): 33589 7 patchSG0004840 Algorithm #2 (sum): 8028 7 patchSG0004840 MD5 checksum: 17DF232BE1999A657450C4AE6425E53D Filename: patchSG0004840.dev_sw Algorithm #1 (sum -r): 58282 2826 patchSG0004840.dev_sw Algorithm #2 (sum): 36641 2826 patchSG0004840.dev_sw MD5 checksum: 0BD37AE226BE29536481AB41A5B01C7D Filename: patchSG0004840.eoe_sw Algorithm #1 (sum -r): 61024 13972 patchSG0004840.eoe_sw Algorithm #2 (sum): 63438 13972 patchSG0004840.eoe_sw MD5 checksum: 8DE1DBF47D8B30A8C85BFAF4441E193E Filename: patchSG0004840.eoe_sw64 Algorithm #1 (sum -r): 44518 5364 patchSG0004840.eoe_sw64 Algorithm #2 (sum): 13550 5364 patchSG0004840.eoe_sw64 MD5 checksum: 404D699F3D639A4B27F9CD203202DE96 Filename: patchSG0004840.idb Algorithm #1 (sum -r): 44412 9 patchSG0004840.idb Algorithm #2 (sum): 24146 9 patchSG0004840.idb MD5 checksum: 04D9723849742C3247EC2C1794887C95 Filename: patchSG0004840.nfs_sw Algorithm #1 (sum -r): 52254 115 patchSG0004840.nfs_sw Algorithm #2 (sum): 57763 115 patchSG0004840.nfs_sw MD5 checksum: AFE6A163705946DD64FBC771402672BE Filename: README.patch.4841 Algorithm #1 (sum -r): 39516 8 README.patch.4841 Algorithm #2 (sum): 51942 8 README.patch.4841 MD5 checksum: 0DF3A6DD4089A091107B85F1C452B4FD Filename: patchSG0004841 Algorithm #1 (sum -r): 21644 7 patchSG0004841 Algorithm #2 (sum): 26440 7 patchSG0004841 MD5 checksum: 170C62A295C551DDAF9F1B2AFCB5CC6F Filename: patchSG0004841.dev_sw Algorithm #1 (sum -r): 55759 2871 patchSG0004841.dev_sw Algorithm #2 (sum): 18216 2871 patchSG0004841.dev_sw MD5 checksum: 35CD9FC24D8B6C5336AD2E92491D7CB1 Filename: patchSG0004841.eoe_sw Algorithm #1 (sum -r): 55359 14385 patchSG0004841.eoe_sw Algorithm #2 (sum): 13255 14385 patchSG0004841.eoe_sw MD5 checksum: D78BD738AC236A1E365C951C694E7DBF Filename: patchSG0004841.eoe_sw64 Algorithm #1 (sum -r): 11901 5507 patchSG0004841.eoe_sw64 Algorithm #2 (sum): 1227 5507 patchSG0004841.eoe_sw64 MD5 checksum: 0ABBC1280C1C575E26703F99E2B95679 Filename: patchSG0004841.idb Algorithm #1 (sum -r): 35148 9 patchSG0004841.idb Algorithm #2 (sum): 24716 9 patchSG0004841.idb MD5 checksum: 72DF4286A116FE33989B57C73CA8491A Filename: patchSG0004841.nfs_sw Algorithm #1 (sum -r): 01746 115 patchSG0004841.nfs_sw Algorithm #2 (sum): 45471 115 patchSG0004841.nfs_sw MD5 checksum: 2E4FACCCF7FBFD8C4BE97CFB9B04964E Filename: README.patch.4842 Algorithm #1 (sum -r): 14274 9 README.patch.4842 Algorithm #2 (sum): 163 9 README.patch.4842 MD5 checksum: EA36BFA20213B334DA8629D63776A58A Filename: patch4842.chksums.only Algorithm #1 (sum -r): 21612 1 patch4842.chksums.only Algorithm #2 (sum): 12946 1 patch4842.chksums.only MD5 checksum: 90D3A42670B02F2694AF9D81606EB121 Filename: patch4842.pgp.and.chksums Algorithm #1 (sum -r): 10982 1 patch4842.pgp.and.chksums Algorithm #2 (sum): 36306 1 patch4842.pgp.and.chksums MD5 checksum: 7B754813CC95136AB0BABD79D0A6DD98 Filename: patchSG0004842 Algorithm #1 (sum -r): 33358 8 patchSG0004842 Algorithm #2 (sum): 56140 8 patchSG0004842 MD5 checksum: 2CF724DB759B31426CC6449C4B482643 Filename: patchSG0004842.dev_sw Algorithm #1 (sum -r): 64975 2819 patchSG0004842.dev_sw Algorithm #2 (sum): 54094 2819 patchSG0004842.dev_sw MD5 checksum: EFCDC46B2D915E443987E76FD558BBCE Filename: patchSG0004842.eoe_sw Algorithm #1 (sum -r): 04239 13999 patchSG0004842.eoe_sw Algorithm #2 (sum): 5063 13999 patchSG0004842.eoe_sw MD5 checksum: 42BA5415EDBF8BF87BF1CEF940297176 Filename: patchSG0004842.eoe_sw64 Algorithm #1 (sum -r): 62079 5370 patchSG0004842.eoe_sw64 Algorithm #2 (sum): 15526 5370 patchSG0004842.eoe_sw64 MD5 checksum: C05E2C12ABD1A8B4186B4D1D04227AE9 Filename: patchSG0004842.idb Algorithm #1 (sum -r): 56186 9 patchSG0004842.idb Algorithm #2 (sum): 36284 9 patchSG0004842.idb MD5 checksum: DFD4AE06B37ABCE5DC8B1E7D0E4D593C Filename: README.patch.4843 Algorithm #1 (sum -r): 24801 9 README.patch.4843 Algorithm #2 (sum): 184 9 README.patch.4843 MD5 checksum: B8FF9691288E65F9E0F3E0D033BA03B9 Filename: patchSG0004843 Algorithm #1 (sum -r): 38630 8 patchSG0004843 Algorithm #2 (sum): 45967 8 patchSG0004843 MD5 checksum: E9F5395B41BB98DA493F95B6740A40C0 Filename: patchSG0004843.dev_sw Algorithm #1 (sum -r): 57071 2875 patchSG0004843.dev_sw Algorithm #2 (sum): 47966 2875 patchSG0004843.dev_sw MD5 checksum: 2352B26245F960BD74EE560A32BD09AC Filename: patchSG0004843.eoe_sw Algorithm #1 (sum -r): 54319 14237 patchSG0004843.eoe_sw Algorithm #2 (sum): 9088 14237 patchSG0004843.eoe_sw MD5 checksum: 03D46304F9D281FE3EBB4269129ED71A Filename: patchSG0004843.eoe_sw64 Algorithm #1 (sum -r): 53290 5426 patchSG0004843.eoe_sw64 Algorithm #2 (sum): 45901 5426 patchSG0004843.eoe_sw64 MD5 checksum: 455F0E5F967003BF5C193728AC027324 Filename: patchSG0004843.idb Algorithm #1 (sum -r): 25411 9 patchSG0004843.idb Algorithm #2 (sum): 36397 9 patchSG0004843.idb MD5 checksum: E9F6235ADFA442C7A8388785D7AE984A Filename: patchSG0004843.nfs_sw Algorithm #1 (sum -r): 07004 115 patchSG0004843.nfs_sw Algorithm #2 (sum): 7005 115 patchSG0004843.nfs_sw MD5 checksum: 8355903908696CF88F6C8474B1441E5F Filename: README.patch.4845 Algorithm #1 (sum -r): 19621 9 README.patch.4845 Algorithm #2 (sum): 63174 9 README.patch.4845 MD5 checksum: 5D7D0872F054F678FC73ADD9A7927A0B Filename: patchSG0004845 Algorithm #1 (sum -r): 60677 7 patchSG0004845 Algorithm #2 (sum): 13336 7 patchSG0004845 MD5 checksum: 7F3ED1EC3C69BAA0F684CE257ABAA9DE Filename: patchSG0004845.dev_sw Algorithm #1 (sum -r): 64467 2870 patchSG0004845.dev_sw Algorithm #2 (sum): 36886 2870 patchSG0004845.dev_sw MD5 checksum: DF9B3BE33373A9B5F310C771DA9919FC Filename: patchSG0004845.eoe_sw Algorithm #1 (sum -r): 14438 14238 patchSG0004845.eoe_sw Algorithm #2 (sum): 52196 14238 patchSG0004845.eoe_sw MD5 checksum: 0752B61F0C5F78165B0864A143F12F5D Filename: patchSG0004845.eoe_sw64 Algorithm #1 (sum -r): 61870 5427 patchSG0004845.eoe_sw64 Algorithm #2 (sum): 63001 5427 patchSG0004845.eoe_sw64 MD5 checksum: 1FD7650F3A0CA53984F55C97422B6FA5 Filename: patchSG0004845.idb Algorithm #1 (sum -r): 17076 9 patchSG0004845.idb Algorithm #2 (sum): 24881 9 patchSG0004845.idb MD5 checksum: E78AB9246B89958F691F3F7F3C177D2C Filename: patchSG0004845.nfs_sw Algorithm #1 (sum -r): 29287 115 patchSG0004845.nfs_sw Algorithm #2 (sum): 59944 115 patchSG0004845.nfs_sw MD5 checksum: FA80429C42EA051F4F03173C27605BC6 Filename: README.patch.4846 Algorithm #1 (sum -r): 11014 8 README.patch.4846 Algorithm #2 (sum): 53086 8 README.patch.4846 MD5 checksum: 2C079AD39C98F6D6EE41F37674FD894A Filename: patchSG0004846 Algorithm #1 (sum -r): 62823 7 patchSG0004846 Algorithm #2 (sum): 15205 7 patchSG0004846 MD5 checksum: 3FD1F15E1049B60567936DD178615052 Filename: patchSG0004846.dev_sw Algorithm #1 (sum -r): 54372 2915 patchSG0004846.dev_sw Algorithm #2 (sum): 26322 2915 patchSG0004846.dev_sw MD5 checksum: 81EB7CA9497F9A3B9F517E0AAC513C2C Filename: patchSG0004846.eoe_sw Algorithm #1 (sum -r): 57605 14590 patchSG0004846.eoe_sw Algorithm #2 (sum): 20324 14590 patchSG0004846.eoe_sw MD5 checksum: 7C8C11F425B9AFA3306A64CFD1C456DE Filename: patchSG0004846.eoe_sw64 Algorithm #1 (sum -r): 47150 5597 patchSG0004846.eoe_sw64 Algorithm #2 (sum): 46479 5597 patchSG0004846.eoe_sw64 MD5 checksum: D9D3B4B3FEEC03E66A26C28F62873050 Filename: patchSG0004846.idb Algorithm #1 (sum -r): 55346 9 patchSG0004846.idb Algorithm #2 (sum): 24828 9 patchSG0004846.idb MD5 checksum: 5CB936EAE37711BC192D278A6673D9FE Filename: patchSG0004846.nfs_sw Algorithm #1 (sum -r): 19473 115 patchSG0004846.nfs_sw Algorithm #2 (sum): 45973 115 patchSG0004846.nfs_sw MD5 checksum: 048B53C03E380E4A1370BC573078FBA2 - ------------------------ - --- Acknowledgments ---- - ------------------------ SGI wishes to thank CERT and the users of the Internet Community at large for their assistance in this matter. - ------------- - --- Links --- - ------------- SGI Security Advisories can be found at: http://www.sgi.com/support/security/ and ftp://patches.sgi.com/support/free/security/advisories/ SGI Security Patches can be found at: http://www.sgi.com/support/security/ and ftp://patches.sgi.com/support/free/security/patches/ SGI patches for IRIX can be found at the following patch servers: http://support.sgi.com/irix/ and ftp://patches.sgi.com/ SGI freeware updates for IRIX can be found at: http://freeware.sgi.com/ SGI fixes for SGI open sourced code can be found on: http://oss.sgi.com/projects/ SGI patches and RPMs for Linux can be found at: http://support.sgi.com/linux/ or http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/ SGI patches for Windows NT or 2000 can be found at: http://support.sgi.com/nt/ IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at: http://support.sgi.com/irix/ and ftp://patches.sgi.com/support/patchset/ IRIX 6.5 Maintenance Release Streams can be found at: http://support.sgi.com/colls/patches/tools/relstream/index.html IRIX 6.5 Software Update CDs can be obtained from: http://support.sgi.com/irix/swupdates/ The primary SGI anonymous FTP site for security advisories and patches is patches.sgi.com (216.32.174.211). Security advisories and patches are located under the URL ftp://patches.sgi.com/support/free/security/ For security and patch management reasons, ftp.sgi.com (mirrors patches.sgi.com security FTP repository) lags behind and does not do a real-time update. - ----------------------------------------- - --- SGI Security Information/Contacts --- - ----------------------------------------- If there are questions about this document, email can be sent to security-info@sgi.com. ------oOo------ SGI provides security information and patches for use by the entire SGI community. This information is freely available to any person needing the information and is available via anonymous FTP and the Web. The primary SGI anonymous FTP site for security advisories and patches is patches.sgi.com (216.32.174.211). Security advisories and patches are located under the URL ftp://patches.sgi.com/support/free/security/ The SGI Security Headquarters Web page is accessible at the URL: http://www.sgi.com/support/security/ For issues with the patches on the FTP sites, email can be sent to security-info@sgi.com. For assistance obtaining or working with security patches, please contact your SGI support provider. ------oOo------ SGI provides a free security mailing list service called wiretap and encourages interested parties to self-subscribe to receive (via email) all SGI Security Advisories when they are released. Subscribing to the mailing list can be done via the Web (http://www.sgi.com/support/security/wiretap.html) or by sending email to SGI as outlined below. % mail wiretap-request@sgi.com subscribe wiretap end ^d In the example above, is the email address that you wish the mailing list information sent to. The word end must be on a separate line to indicate the end of the body of the message. The control-d (^d) is used to indicate to the mail program that you are finished composing the mail message. ------oOo------ SGI provides a comprehensive customer World Wide Web site. This site is located at http://www.sgi.com/support/security/ . ------oOo------ If there are general security questions on SGI systems, email can be sent to security-info@sgi.com. For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com or contact your SGI support provider. A support contract is not required for submitting a security report. ______________________________________________________________________________ This information is provided freely to all interested parties and may be redistributed provided that it is not altered in any way, SGI is appropriately credited and the document retains and includes its valid PGP signature. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBPcr58bQ4cFApAP75AQH6TAP8CJWPoJCSaAaqmsQ8pm7A+hekQoW62HQs YtKImdiqCWmNQRZll6p5kMVYusnRl84UAgwkJM68Hu3kSVL7PyMtWbjE+L/eHfWC 7X+bgN3Id9x8ExLtmt0Qta/OmjuMzg8oigfI9PikAWrTjTArlR8SzHyOBGtA27eB HTnj+yKw+OY= =7lr/ -----END PGP SIGNATURE-----