From agent99@boytoy.csd.sgi.com Tue Jun 16 14:13:03 1998 From: SGI Security Coordinator To: agent99@sgi.com Date: Tue, 16 Jun 1998 11:17:18 -0700 Subject: IRIX OSF/DCE Denial of Service Attack DISTRIBUTION RESTRICTIONS - NONE - FOR PUBLIC RELEASE -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: OSF/DCE Denial of Service Attack Title: CERT VB-97.12 Number: 19980601-01-PX Date: June, 16 1998 ______________________________________________________________________________ Silicon Graphics provides this information freely to the SGI user community for its consideration, interpretation, implementation and use. Silicon Graphics recommends that this information be acted upon as soon as possible. Silicon Graphics provides the information in this Security Advisory on an "AS-IS" basis only, and disclaims all warranties with respect thereto, express, implied or otherwise, including, without limitation, any warranty of merchantability or fitness for a particular purpose. In no event shall Silicon Graphics be liable for any loss of profits, loss of business, loss of data or for any indirect, special, exemplary, incidental or consequential damages of any kind arising from your use of, failure to use or improper use of any of the instructions or information in this Security Advisory. ______________________________________________________________________________ - ----------------------- - --- Issue Specifics --- - ----------------------- The Open Group has released an advisory via CERT concerning a buffer overflow which has been discovered with Distributed Computing Environment (DCE) security demon (secd) causing it core dump and no longer accept connections. Silicon Graphic's implementation of OSF/DCE is vulnerable to this denial of service attack. Silicon Graphics Inc. has investigated the issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be implemented on ALL vulnerable SGI systems. This issue will be corrected in future releases of Silicon Graphic's OSF/DCE implementation. - -------------- - --- Impact --- - -------------- Any Silicon Graphics System that has purchased OSF/DCE and installed it on IRIX 5.3, 6.2, 6.3 or 6.4, is vulnerable to this denial of service attack. The denial of service attack can be performed locally and remotely and without the use of a local account on the system. Information on the denial of service attack has been posted as a CERT Vendor Bulletin from the Open Group and can be found at: ftp://ftp.cert.org/pub/cert_bulletins/VB-97.12.opengroup - ---------------- - --- Solution --- - ---------------- Upgrade to OSF/DCE & DFS 1.1C and install the following patches from the December 1997 or later Recommended/Required Patch Set: OS Version Vulnerable? Patch # Other Actions ---------- ----------- ------- ------------- IRIX 3.x no IRIX 4.x no IRIX 5.0.x no IRIX 5.1.x no IRIX 5.2 no IRIX 5.3 yes not avail see Note 1 IRIX 6.0.x no IRIX 6.1 no IRIX 6.2 yes 2678 or 2679 see Note 2 IRIX 6.3 yes 2680 or 2681 see Note 2 IRIX 6.4 yes 2682 or 2683 see Note 2 NOTES 1) Upgrade operating system. 2) Patches 2679, 2681 and 2683 are for the U.S. domestic version of OSF/DCE & DFS 1.1C and are not available from the standard SGI patch sources because they include strong encryption which cannot be exported outside of the United States without authorization. All U.S. customers who have purchased Silicon Graphic's U.S. domestic implementation of the OSF/DCE & DFS 1.1C should have received an SGI patch CD which contains these restricted patches. Please contact your U.S. SGI support provider if you have not received this patch CD: SC4-DCEDOM-1.1C DCE Domestic Security Module 1.1C Patch CD Patches are available via anonymous FTP and your service/support provider. The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its mirror, ftp.sgi.com. Security information and patches can be found in the ~ftp/security and ~ftp/patches directories, respectfully. ##### Patch File Checksums #### The actual patch will be a tar file containing the following files: Filename: README.patch.2678 Algorithm #1 (sum -r): 03340 18 README.patch.2678 Algorithm #2 (sum): 44196 18 README.patch.2678 MD5 checksum: 3925265EE23DEACDD2421F1B332D6138 Filename: patchSG0002678 Algorithm #1 (sum -r): 29356 8 patchSG0002678 Algorithm #2 (sum): 28887 8 patchSG0002678 MD5 checksum: 8F70D3A0A297F21DB47A89C6522216AC Filename: patchSG0002678.DCE_hdr Algorithm #1 (sum -r): 29460 8 patchSG0002678.DCE_hdr Algorithm #2 (sum): 21868 8 patchSG0002678.DCE_hdr MD5 checksum: FB225D06B2C3388C90AEDEA602C47E9C Filename: patchSG0002678.DCE_sw Algorithm #1 (sum -r): 01092 20273 patchSG0002678.DCE_sw Algorithm #2 (sum): 38822 20273 patchSG0002678.DCE_sw MD5 checksum: F431CAD81201422515E5657F404D9A9E Filename: patchSG0002678.DCE_sw32 Algorithm #1 (sum -r): 32696 5828 patchSG0002678.DCE_sw32 Algorithm #2 (sum): 50088 5828 patchSG0002678.DCE_sw32 MD5 checksum: 69D82184EFE0C90B42E3580EE8C12C3F Filename: patchSG0002678.DCE_sw64 Algorithm #1 (sum -r): 49268 6303 patchSG0002678.DCE_sw64 Algorithm #2 (sum): 46879 6303 patchSG0002678.DCE_sw64 MD5 checksum: 327E6C8AA4EA66D28D9B4F4BA2C1C29E Filename: patchSG0002678.DFS_sw Algorithm #1 (sum -r): 57135 33041 patchSG0002678.DFS_sw Algorithm #2 (sum): 19241 33041 patchSG0002678.DFS_sw MD5 checksum: E304E1471272D29DEBDEF2C92B1F507E Filename: patchSG0002678.idb Algorithm #1 (sum -r): 18177 24 patchSG0002678.idb Algorithm #2 (sum): 34402 24 patchSG0002678.idb MD5 checksum: 9732B977851307A76D0A41915446AFD3 Filename: README.patch.2679 Algorithm #1 (sum -r): 12911 18 README.patch.2679 Algorithm #2 (sum): 45218 18 README.patch.2679 MD5 checksum: 0372E330C0F36F21BE1B18104B35764A Filename: patchSG0002679 Algorithm #1 (sum -r): 21166 4 patchSG0002679 Algorithm #2 (sum): 4443 4 patchSG0002679 MD5 checksum: 1EF8D675D4970C3680ABF3F172707A18 Filename: patchSG0002679.DCE_domestic_sw Algorithm #1 (sum -r): 00651 6058 patchSG0002679.DCE_domestic_sw Algorithm #2 (sum): 2779 6058 patchSG0002679.DCE_domestic_sw MD5 checksum: 58DBF50346C7C061B880307FC93F529B Filename: patchSG0002679.DCE_domestic_sw32 Algorithm #1 (sum -r): 60926 5912 patchSG0002679.DCE_domestic_sw32 Algorithm #2 (sum): 30244 5912 patchSG0002679.DCE_domestic_sw32 MD5 checksum: 542C70B9A9E9AB67B692797C027B03B5 Filename: patchSG0002679.DCE_domestic_sw64 Algorithm #1 (sum -r): 42845 6378 patchSG0002679.DCE_domestic_sw64 Algorithm #2 (sum): 3556 6378 patchSG0002679.DCE_domestic_sw64 MD5 checksum: 7AAF218B85F599616F0177AA0EB33EA6 Filename: patchSG0002679.DFS_domestic_sw Algorithm #1 (sum -r): 01958 26147 patchSG0002679.DFS_domestic_sw Algorithm #2 (sum): 40763 26147 patchSG0002679.DFS_domestic_sw MD5 checksum: 16AC2AB4DAADB7FC858E17E04A2EBB80 Filename: patchSG0002679.idb Algorithm #1 (sum -r): 32131 10 patchSG0002679.idb Algorithm #2 (sum): 7644 10 patchSG0002679.idb MD5 checksum: A32549C1EB308E2E60691C5E0D5F4AE3 Filename: README.patch.2680 Algorithm #1 (sum -r): 07341 17 README.patch.2680 Algorithm #2 (sum): 27764 17 README.patch.2680 MD5 checksum: 426FB2F07E7D475A6041082D4ABF2C88 Filename: patchSG0002680 Algorithm #1 (sum -r): 41854 8 patchSG0002680 Algorithm #2 (sum): 12427 8 patchSG0002680 MD5 checksum: E1FDE5E34BDA47AC2F49A84F90480D34 Filename: patchSG0002680.DCE_hdr Algorithm #1 (sum -r): 38241 74 patchSG0002680.DCE_hdr Algorithm #2 (sum): 46233 74 patchSG0002680.DCE_hdr MD5 checksum: C1AFA1041993291393C9D2E695D11A57 Filename: patchSG0002680.DCE_sw Algorithm #1 (sum -r): 15573 21331 patchSG0002680.DCE_sw Algorithm #2 (sum): 54145 21331 patchSG0002680.DCE_sw MD5 checksum: B18761B8BD7C8D2132D66E163E7A9A03 Filename: patchSG0002680.DCE_sw32 Algorithm #1 (sum -r): 53311 5838 patchSG0002680.DCE_sw32 Algorithm #2 (sum): 10596 5838 patchSG0002680.DCE_sw32 MD5 checksum: 247FAC6371C9F16EED37ED2ADA18C6FA Filename: patchSG0002680.DCE_sw64 Algorithm #1 (sum -r): 08341 6318 patchSG0002680.DCE_sw64 Algorithm #2 (sum): 24100 6318 patchSG0002680.DCE_sw64 MD5 checksum: 922CF0068BF93FF6B2AEEDF7791CF19D Filename: patchSG0002680.DFS_sw Algorithm #1 (sum -r): 60299 10516 patchSG0002680.DFS_sw Algorithm #2 (sum): 16894 10516 patchSG0002680.DFS_sw MD5 checksum: 8C41AE6B8F34F21CC213307E936D0E7E Filename: patchSG0002680.idb Algorithm #1 (sum -r): 21012 19 patchSG0002680.idb Algorithm #2 (sum): 49791 19 patchSG0002680.idb MD5 checksum: 5F9B2EFBD7382D1E9C805C4AB39790AC Filename: README.patch.2681 Algorithm #1 (sum -r): 37820 17 README.patch.2681 Algorithm #2 (sum): 23466 17 README.patch.2681 MD5 checksum: BF90D4120752681AA8CC85E30D8F9B2C Filename: patchSG0002681 Algorithm #1 (sum -r): 06707 4 patchSG0002681 Algorithm #2 (sum): 52425 4 patchSG0002681 MD5 checksum: D8B53358819662E4F37756EDCBC46E04 Filename: patchSG0002681.DCE_domestic_sw Algorithm #1 (sum -r): 52817 6060 patchSG0002681.DCE_domestic_sw Algorithm #2 (sum): 13736 6060 patchSG0002681.DCE_domestic_sw MD5 checksum: B83F91BF6788F1CF5EF4118B259B3651 Filename: patchSG0002681.DCE_domestic_sw32 Algorithm #1 (sum -r): 02189 5909 patchSG0002681.DCE_domestic_sw32 Algorithm #2 (sum): 26545 5909 patchSG0002681.DCE_domestic_sw32 MD5 checksum: 3494E5F01F246CCAC8F98299B5A0FC06 Filename: patchSG0002681.DCE_domestic_sw64 Algorithm #1 (sum -r): 05410 6378 patchSG0002681.DCE_domestic_sw64 Algorithm #2 (sum): 3477 6378 patchSG0002681.DCE_domestic_sw64 MD5 checksum: 57D90B48AF707EF1C494AEFF621D76B6 Filename: patchSG0002681.DFS_domestic_sw Algorithm #1 (sum -r): 37813 3102 patchSG0002681.DFS_domestic_sw Algorithm #2 (sum): 10135 3102 patchSG0002681.DFS_domestic_sw MD5 checksum: 9098B23B1C947FEF6C6E3282D7C12BC8 Filename: patchSG0002681.idb Algorithm #1 (sum -r): 48063 4 patchSG0002681.idb Algorithm #2 (sum): 34347 4 patchSG0002681.idb MD5 checksum: 0C25153F4F015AC9ABE43AEE37EBE560 Filename: README.patch.2682 Algorithm #1 (sum -r): 36320 16 README.patch.2682 Algorithm #2 (sum): 25472 16 README.patch.2682 MD5 checksum: FBD4E422418F1C04BE834B01DA32A956 Filename: patchSG0002682 Algorithm #1 (sum -r): 44327 6 patchSG0002682 Algorithm #2 (sum): 3707 6 patchSG0002682 MD5 checksum: CB79E4CD6C3D177F4C2F9DC4F2A4C31F Filename: patchSG0002682.DCE_hdr Algorithm #1 (sum -r): 34388 1 patchSG0002682.DCE_hdr Algorithm #2 (sum): 9815 1 patchSG0002682.DCE_hdr MD5 checksum: DFDD445FF99356C86CFBF4C4BAF7F4AB Filename: patchSG0002682.DCE_sw Algorithm #1 (sum -r): 56190 16020 patchSG0002682.DCE_sw Algorithm #2 (sum): 52603 16020 patchSG0002682.DCE_sw MD5 checksum: A9D064BA7D97E4AFDBEDA8BB0428A767 Filename: patchSG0002682.DCE_sw32 Algorithm #1 (sum -r): 26046 6099 patchSG0002682.DCE_sw32 Algorithm #2 (sum): 41071 6099 patchSG0002682.DCE_sw32 MD5 checksum: 73B1042595A90F900B7B4838CA5181DA Filename: patchSG0002682.DCE_sw64 Algorithm #1 (sum -r): 06103 6370 patchSG0002682.DCE_sw64 Algorithm #2 (sum): 63088 6370 patchSG0002682.DCE_sw64 MD5 checksum: FD8A1B2D30FDA797B995117BF140FC55 Filename: patchSG0002682.DFS_sw Algorithm #1 (sum -r): 56717 9573 patchSG0002682.DFS_sw Algorithm #2 (sum): 64974 9573 patchSG0002682.DFS_sw MD5 checksum: 226707FB10F844E2CB4F30595AC70FD8 Filename: patchSG0002682.idb Algorithm #1 (sum -r): 10563 16 patchSG0002682.idb Algorithm #2 (sum): 26825 16 patchSG0002682.idb MD5 checksum: FF387CDB1EE4EF8F9376A850AB2F8379 Filename: README.patch.2683 Algorithm #1 (sum -r): 32338 15 README.patch.2683 Algorithm #2 (sum): 21219 15 README.patch.2683 MD5 checksum: 0DF1BDCD671FA2E03A58C9838A680928 Filename: patchSG0002683 Algorithm #1 (sum -r): 58679 4 patchSG0002683 Algorithm #2 (sum): 56375 4 patchSG0002683 MD5 checksum: F255015A5340CD34B0D707D396FD6D6B Filename: patchSG0002683.DCE_domestic_sw Algorithm #1 (sum -r): 25494 5598 patchSG0002683.DCE_domestic_sw Algorithm #2 (sum): 54032 5598 patchSG0002683.DCE_domestic_sw MD5 checksum: D54E04B44F4385167E3E93B7CC694D5F Filename: patchSG0002683.DCE_domestic_sw32 Algorithm #1 (sum -r): 50283 6197 patchSG0002683.DCE_domestic_sw32 Algorithm #2 (sum): 62501 6197 patchSG0002683.DCE_domestic_sw32 MD5 checksum: B611492E5C9731F095BC21D580405B33 Filename: patchSG0002683.DCE_domestic_sw64 Algorithm #1 (sum -r): 28076 6442 patchSG0002683.DCE_domestic_sw64 Algorithm #2 (sum): 6953 6442 patchSG0002683.DCE_domestic_sw64 MD5 checksum: A81BBDA039240C9EF751557A8D707FE0 Filename: patchSG0002683.DFS_domestic_sw Algorithm #1 (sum -r): 20332 3263 patchSG0002683.DFS_domestic_sw Algorithm #2 (sum): 63172 3263 patchSG0002683.DFS_domestic_sw MD5 checksum: E24CE4010A087AF805253C5BCCF6A325 Filename: patchSG0002683.idb Algorithm #1 (sum -r): 30870 4 patchSG0002683.idb Algorithm #2 (sum): 34408 4 patchSG0002683.idb MD5 checksum: 991B340AFDE13737FA40F584D4854989 - ------------------------ - --- Acknowledgments --- - ------------------------ Silicon Graphics wishes to thank the the CERT Coordination Center for their assistance in this matter. - ----------------------------------------------------------- - --- Silicon Graphics Inc. Security Information/Contacts --- - ----------------------------------------------------------- If there are questions about this document, email can be sent to cse-security-alert@sgi.com. ------oOo------ Silicon Graphics provides security information and patches for use by the entire SGI community. This information is freely available to any person needing the information and is available via anonymous FTP and the Web. The primary SGI anonymous FTP site for security information and patches is sgigate.sgi.com (204.94.209.1). Security information and patches are located under the directories ~ftp/security and ~ftp/patches, respectively. The Silicon Graphics Security Headquarters Web page is accessible at the URL http://www.sgi.com/Support/security/security.html. For issues with the patches on the FTP sites, email can be sent to cse-security-alert@sgi.com. For assistance obtaining or working with security patches, please contact your SGI support provider. ------oOo------ Silicon Graphics provides a free security mailing list service called wiretap and encourages interested parties to self-subscribe to receive (via email) all SGI Security Advisories when they are released. Subscribing to the mailing list can be done via the Web (http://www.sgi.com/Support/security/wiretap.html) or by sending email to SGI as outlined below. % mail wiretap-request@sgi.com subscribe wiretap end ^d In the example above, is the email address that you wish the mailing list information sent to. The word end must be on a separate line to indicate the end of the body of the message. The control-d (^d) is used to indicate to the mail program that you are finished composing the mail message. ------oOo------ Silicon Graphics provides a comprehensive customer World Wide Web site. This site is located at http://www.sgi.com/Support/security/security.html. ------oOo------ For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com or contact your SGI support provider. A support contract is not required for submitting a security report. ______________________________________________________________________________ This information is provided freely to all interested parties and may be redistributed provided that it is not altered in any way, Silicon Graphics is appropriately credited and the document retains and includes its valid PGP signature. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNYawbbQ4cFApAP75AQFqPAP/UzEcvdjhYI0Er3qyyD6TFY+XdI6SGozh 2VYWp/SynZ5LSiL6RJ25RXBuNZVWYwOxnj/UtxGTOi2bdUtW+EnzEtdOQpeTXrk+ Z5trfGVOr0w3vQdzwPC9HQ9YCC6qFTsGoR3cZC7rnpEdd3BqDCbPhG9reO0Tk9v8 W60B5v7c2M4= =ea2s -----END PGP SIGNATURE-----