Potential Denial of Service Vulnerability in IRIX RPC-based libc
Date: Thu, 7 Nov 2002 16:12:01 -0800
From: SGI Security Coordinator <[email protected]>
To: [email protected]
Subject: Potential Denial of Service Vulnerability in IRIX RPC-based libc
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SGI Security Advisory
Title : Potential Denial of Service Vulnerability in RPC-based libc
Number : 20021103-01-P
Date : November 7, 2002
Reference: CERT VU#266817
Reference: CVE CAN-2002-1265
Reference: SGI BUGS 852333 and 871325
Fixed in : IRIX 6.5.18
Fixed in : SGI PATCHES 4838, 4839, 4842, 4843, 4840, 4845, 4841, and 4846
______________________________________________________________________________
- -----------------------
- --- Issue Specifics ---
- -----------------------
It's been reported that SGI IRIX's Sun RPC-based libc implementation fails
to provide an adequate time-out mechanism when reading data from TCP
connections. As a result, a remote attacker can deny service to system
daemons.
See http://www.kb.cert.org/vuls/id/266817 for additional details.
This vulnerability has been assigned the following CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1265
SGI has investigated the issue and recommends the following steps for
neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.
These issues have been corrected with patches and in IRIX 6.5.18.
- --------------
- --- Impact ---
- --------------
The libc library is installed by default on IRIX 6.5 systems as part of
eoe.sw.base.
To determine the version of IRIX you are running, execute the following
command:
# /bin/uname -R
That will return a result similar to the following:
# 6.5 6.5.16f
The first number ("6.5") is the release name, the second ("6.5.16f" in this
case) is the extended release name. The extended release name is the
"version" we refer to throughout this document.
- ----------------------------
- --- Temporary Workaround ---
- ----------------------------
Apart from not running Sun RPC services, there is no effective workaround
available for this vulnerability. SGI recommends either upgrading to IRIX
6.5.18 or later, or installing the appropriate patch from the listing below.
- ----------------
- --- Solution ---
- ----------------
SGI has provided a series of patches for these vulnerabilities. Our
recommendation is to upgrade to IRIX 6.5.18 or later, or install the
appropriate patch.
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x unknown Note 1
IRIX 4.x unknown Note 1
IRIX 5.x unknown Note 1
IRIX 6.0.x unknown Note 1
IRIX 6.1 unknown Note 1
IRIX 6.2 unknown Note 1
IRIX 6.3 unknown Note 1
IRIX 6.4 unknown Note 1
IRIX 6.5 yes Notes 2 & 3
IRIX 6.5.1 yes Notes 2 & 3
IRIX 6.5.2 yes Notes 2 & 3
IRIX 6.5.3 yes Notes 2 & 3
IRIX 6.5.4 yes Notes 2 & 3
IRIX 6.5.5 yes Notes 2 & 3
IRIX 6.5.6 yes Notes 2 & 3
IRIX 6.5.7 yes Notes 2 & 3
IRIX 6.5.8 yes Notes 2 & 3
IRIX 6.5.9 yes Notes 2 & 3
IRIX 6.5.10 yes Notes 2 & 3
IRIX 6.5.11 yes Notes 2 & 3
IRIX 6.5.12 yes Notes 2 & 3
IRIX 6.5.13 yes Notes 2 & 3
IRIX 6.5.14m yes 4838 Notes 2 & 3
IRIX 6.5.14f yes 4839 Notes 2 & 3
IRIX 6.5.15m yes 4842 Notes 2 & 3
IRIX 6.5.15f yes 4843 Notes 2 & 3
IRIX 6.5.16m yes 4840 Notes 2 & 3
IRIX 6.5.16f yes 4845 Notes 2 & 3
IRIX 6.5.17m yes 4841 Notes 2 & 3
IRIX 6.5.17f yes 4846 Notes 2 & 3
IRIX 6.5.18 no
NOTES
1) This version of the IRIX operating has been retired. Upgrade to an
actively supported IRIX operating system. See
http://support.sgi.com/irix/news/index.html#policy for more
information.
2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/
IRIX Maintenance releases can be downloaded from:
http://support.sgi.com/colls/patches/tools/relstream/index.html
3) Upgrade to IRIX 6.5.18 or later.
##### Patch File Checksums ####
The actual patch will be a tar file containing the following files:
Filename: README.patch.4838
Algorithm #1 (sum -r): 19885 9 README.patch.4838
Algorithm #2 (sum): 13097 9 README.patch.4838
MD5 checksum: 7078E8BE364B66AD17884D5945DC4CB9
Filename: patchSG0004838
Algorithm #1 (sum -r): 24098 8 patchSG0004838
Algorithm #2 (sum): 6796 8 patchSG0004838
MD5 checksum: 6F0A4437FA7FEDCB9FBA2F71BF809241
Filename: patchSG0004838.dev_sw
Algorithm #1 (sum -r): 17117 2818 patchSG0004838.dev_sw
Algorithm #2 (sum): 18437 2818 patchSG0004838.dev_sw
MD5 checksum: FED63E719498CA1B3AD8615A9568CC2D
Filename: patchSG0004838.eoe_sw
Algorithm #1 (sum -r): 30194 14114 patchSG0004838.eoe_sw
Algorithm #2 (sum): 41513 14114 patchSG0004838.eoe_sw
MD5 checksum: 98573E1526D6C9675ED8108769D4F385
Filename: patchSG0004838.eoe_sw64
Algorithm #1 (sum -r): 43406 5399 patchSG0004838.eoe_sw64
Algorithm #2 (sum): 32065 5399 patchSG0004838.eoe_sw64
MD5 checksum: DA06569D206C45411DEF7E0C5818204E
Filename: patchSG0004838.idb
Algorithm #1 (sum -r): 51210 9 patchSG0004838.idb
Algorithm #2 (sum): 24509 9 patchSG0004838.idb
MD5 checksum: 99F8DFD00B6093E6B13D3101522B162A
Filename: patchSG0004838.nfs_sw
Algorithm #1 (sum -r): 12748 116 patchSG0004838.nfs_sw
Algorithm #2 (sum): 12251 116 patchSG0004838.nfs_sw
MD5 checksum: D1230952ADBB05C53AF20138EFF3690A
Filename: README.patch.4839
Algorithm #1 (sum -r): 14005 9 README.patch.4839
Algorithm #2 (sum): 13201 9 README.patch.4839
MD5 checksum: 46A8E945CBCC8BCA46FF7FD9D1EA6910
Filename: patchSG0004839
Algorithm #1 (sum -r): 34628 8 patchSG0004839
Algorithm #2 (sum): 10416 8 patchSG0004839
MD5 checksum: 5977417007A971698B094DF1B817FB6F
Filename: patchSG0004839.dev_sw
Algorithm #1 (sum -r): 41960 2875 patchSG0004839.dev_sw
Algorithm #2 (sum): 39191 2875 patchSG0004839.dev_sw
MD5 checksum: 2A67C5A6F62548AFFEFA8589DD64AF27
Filename: patchSG0004839.eoe_sw
Algorithm #1 (sum -r): 42870 14337 patchSG0004839.eoe_sw
Algorithm #2 (sum): 61013 14337 patchSG0004839.eoe_sw
MD5 checksum: 348F4806AB2030B734354E9DBB7A7416
Filename: patchSG0004839.eoe_sw64
Algorithm #1 (sum -r): 27069 5458 patchSG0004839.eoe_sw64
Algorithm #2 (sum): 53826 5458 patchSG0004839.eoe_sw64
MD5 checksum: D5C1FB6A8B3FE06DEC02E884DA92FB50
Filename: patchSG0004839.idb
Algorithm #1 (sum -r): 25993 10 patchSG0004839.idb
Algorithm #2 (sum): 48707 10 patchSG0004839.idb
MD5 checksum: A02EA03F18092C44F80DD4BCA8B96A34
Filename: patchSG0004839.nfs_sw
Algorithm #1 (sum -r): 07622 116 patchSG0004839.nfs_sw
Algorithm #2 (sum): 17748 116 patchSG0004839.nfs_sw
MD5 checksum: 8708378B609033A8341B717CC5008BD1
Filename: README.patch.4840
Algorithm #1 (sum -r): 20515 9 README.patch.4840
Algorithm #2 (sum): 58541 9 README.patch.4840
MD5 checksum: 3D64AB943625700D8A7D17DA984EE552
Filename: patchSG0004840
Algorithm #1 (sum -r): 33589 7 patchSG0004840
Algorithm #2 (sum): 8028 7 patchSG0004840
MD5 checksum: 17DF232BE1999A657450C4AE6425E53D
Filename: patchSG0004840.dev_sw
Algorithm #1 (sum -r): 58282 2826 patchSG0004840.dev_sw
Algorithm #2 (sum): 36641 2826 patchSG0004840.dev_sw
MD5 checksum: 0BD37AE226BE29536481AB41A5B01C7D
Filename: patchSG0004840.eoe_sw
Algorithm #1 (sum -r): 61024 13972 patchSG0004840.eoe_sw
Algorithm #2 (sum): 63438 13972 patchSG0004840.eoe_sw
MD5 checksum: 8DE1DBF47D8B30A8C85BFAF4441E193E
Filename: patchSG0004840.eoe_sw64
Algorithm #1 (sum -r): 44518 5364 patchSG0004840.eoe_sw64
Algorithm #2 (sum): 13550 5364 patchSG0004840.eoe_sw64
MD5 checksum: 404D699F3D639A4B27F9CD203202DE96
Filename: patchSG0004840.idb
Algorithm #1 (sum -r): 44412 9 patchSG0004840.idb
Algorithm #2 (sum): 24146 9 patchSG0004840.idb
MD5 checksum: 04D9723849742C3247EC2C1794887C95
Filename: patchSG0004840.nfs_sw
Algorithm #1 (sum -r): 52254 115 patchSG0004840.nfs_sw
Algorithm #2 (sum): 57763 115 patchSG0004840.nfs_sw
MD5 checksum: AFE6A163705946DD64FBC771402672BE
Filename: README.patch.4841
Algorithm #1 (sum -r): 39516 8 README.patch.4841
Algorithm #2 (sum): 51942 8 README.patch.4841
MD5 checksum: 0DF3A6DD4089A091107B85F1C452B4FD
Filename: patchSG0004841
Algorithm #1 (sum -r): 21644 7 patchSG0004841
Algorithm #2 (sum): 26440 7 patchSG0004841
MD5 checksum: 170C62A295C551DDAF9F1B2AFCB5CC6F
Filename: patchSG0004841.dev_sw
Algorithm #1 (sum -r): 55759 2871 patchSG0004841.dev_sw
Algorithm #2 (sum): 18216 2871 patchSG0004841.dev_sw
MD5 checksum: 35CD9FC24D8B6C5336AD2E92491D7CB1
Filename: patchSG0004841.eoe_sw
Algorithm #1 (sum -r): 55359 14385 patchSG0004841.eoe_sw
Algorithm #2 (sum): 13255 14385 patchSG0004841.eoe_sw
MD5 checksum: D78BD738AC236A1E365C951C694E7DBF
Filename: patchSG0004841.eoe_sw64
Algorithm #1 (sum -r): 11901 5507 patchSG0004841.eoe_sw64
Algorithm #2 (sum): 1227 5507 patchSG0004841.eoe_sw64
MD5 checksum: 0ABBC1280C1C575E26703F99E2B95679
Filename: patchSG0004841.idb
Algorithm #1 (sum -r): 35148 9 patchSG0004841.idb
Algorithm #2 (sum): 24716 9 patchSG0004841.idb
MD5 checksum: 72DF4286A116FE33989B57C73CA8491A
Filename: patchSG0004841.nfs_sw
Algorithm #1 (sum -r): 01746 115 patchSG0004841.nfs_sw
Algorithm #2 (sum): 45471 115 patchSG0004841.nfs_sw
MD5 checksum: 2E4FACCCF7FBFD8C4BE97CFB9B04964E
Filename: README.patch.4842
Algorithm #1 (sum -r): 14274 9 README.patch.4842
Algorithm #2 (sum): 163 9 README.patch.4842
MD5 checksum: EA36BFA20213B334DA8629D63776A58A
Filename: patch4842.chksums.only
Algorithm #1 (sum -r): 21612 1 patch4842.chksums.only
Algorithm #2 (sum): 12946 1 patch4842.chksums.only
MD5 checksum: 90D3A42670B02F2694AF9D81606EB121
Filename: patch4842.pgp.and.chksums
Algorithm #1 (sum -r): 10982 1 patch4842.pgp.and.chksums
Algorithm #2 (sum): 36306 1 patch4842.pgp.and.chksums
MD5 checksum: 7B754813CC95136AB0BABD79D0A6DD98
Filename: patchSG0004842
Algorithm #1 (sum -r): 33358 8 patchSG0004842
Algorithm #2 (sum): 56140 8 patchSG0004842
MD5 checksum: 2CF724DB759B31426CC6449C4B482643
Filename: patchSG0004842.dev_sw
Algorithm #1 (sum -r): 64975 2819 patchSG0004842.dev_sw
Algorithm #2 (sum): 54094 2819 patchSG0004842.dev_sw
MD5 checksum: EFCDC46B2D915E443987E76FD558BBCE
Filename: patchSG0004842.eoe_sw
Algorithm #1 (sum -r): 04239 13999 patchSG0004842.eoe_sw
Algorithm #2 (sum): 5063 13999 patchSG0004842.eoe_sw
MD5 checksum: 42BA5415EDBF8BF87BF1CEF940297176
Filename: patchSG0004842.eoe_sw64
Algorithm #1 (sum -r): 62079 5370 patchSG0004842.eoe_sw64
Algorithm #2 (sum): 15526 5370 patchSG0004842.eoe_sw64
MD5 checksum: C05E2C12ABD1A8B4186B4D1D04227AE9
Filename: patchSG0004842.idb
Algorithm #1 (sum -r): 56186 9 patchSG0004842.idb
Algorithm #2 (sum): 36284 9 patchSG0004842.idb
MD5 checksum: DFD4AE06B37ABCE5DC8B1E7D0E4D593C
Filename: README.patch.4843
Algorithm #1 (sum -r): 24801 9 README.patch.4843
Algorithm #2 (sum): 184 9 README.patch.4843
MD5 checksum: B8FF9691288E65F9E0F3E0D033BA03B9
Filename: patchSG0004843
Algorithm #1 (sum -r): 38630 8 patchSG0004843
Algorithm #2 (sum): 45967 8 patchSG0004843
MD5 checksum: E9F5395B41BB98DA493F95B6740A40C0
Filename: patchSG0004843.dev_sw
Algorithm #1 (sum -r): 57071 2875 patchSG0004843.dev_sw
Algorithm #2 (sum): 47966 2875 patchSG0004843.dev_sw
MD5 checksum: 2352B26245F960BD74EE560A32BD09AC
Filename: patchSG0004843.eoe_sw
Algorithm #1 (sum -r): 54319 14237 patchSG0004843.eoe_sw
Algorithm #2 (sum): 9088 14237 patchSG0004843.eoe_sw
MD5 checksum: 03D46304F9D281FE3EBB4269129ED71A
Filename: patchSG0004843.eoe_sw64
Algorithm #1 (sum -r): 53290 5426 patchSG0004843.eoe_sw64
Algorithm #2 (sum): 45901 5426 patchSG0004843.eoe_sw64
MD5 checksum: 455F0E5F967003BF5C193728AC027324
Filename: patchSG0004843.idb
Algorithm #1 (sum -r): 25411 9 patchSG0004843.idb
Algorithm #2 (sum): 36397 9 patchSG0004843.idb
MD5 checksum: E9F6235ADFA442C7A8388785D7AE984A
Filename: patchSG0004843.nfs_sw
Algorithm #1 (sum -r): 07004 115 patchSG0004843.nfs_sw
Algorithm #2 (sum): 7005 115 patchSG0004843.nfs_sw
MD5 checksum: 8355903908696CF88F6C8474B1441E5F
Filename: README.patch.4845
Algorithm #1 (sum -r): 19621 9 README.patch.4845
Algorithm #2 (sum): 63174 9 README.patch.4845
MD5 checksum: 5D7D0872F054F678FC73ADD9A7927A0B
Filename: patchSG0004845
Algorithm #1 (sum -r): 60677 7 patchSG0004845
Algorithm #2 (sum): 13336 7 patchSG0004845
MD5 checksum: 7F3ED1EC3C69BAA0F684CE257ABAA9DE
Filename: patchSG0004845.dev_sw
Algorithm #1 (sum -r): 64467 2870 patchSG0004845.dev_sw
Algorithm #2 (sum): 36886 2870 patchSG0004845.dev_sw
MD5 checksum: DF9B3BE33373A9B5F310C771DA9919FC
Filename: patchSG0004845.eoe_sw
Algorithm #1 (sum -r): 14438 14238 patchSG0004845.eoe_sw
Algorithm #2 (sum): 52196 14238 patchSG0004845.eoe_sw
MD5 checksum: 0752B61F0C5F78165B0864A143F12F5D
Filename: patchSG0004845.eoe_sw64
Algorithm #1 (sum -r): 61870 5427 patchSG0004845.eoe_sw64
Algorithm #2 (sum): 63001 5427 patchSG0004845.eoe_sw64
MD5 checksum: 1FD7650F3A0CA53984F55C97422B6FA5
Filename: patchSG0004845.idb
Algorithm #1 (sum -r): 17076 9 patchSG0004845.idb
Algorithm #2 (sum): 24881 9 patchSG0004845.idb
MD5 checksum: E78AB9246B89958F691F3F7F3C177D2C
Filename: patchSG0004845.nfs_sw
Algorithm #1 (sum -r): 29287 115 patchSG0004845.nfs_sw
Algorithm #2 (sum): 59944 115 patchSG0004845.nfs_sw
MD5 checksum: FA80429C42EA051F4F03173C27605BC6
Filename: README.patch.4846
Algorithm #1 (sum -r): 11014 8 README.patch.4846
Algorithm #2 (sum): 53086 8 README.patch.4846
MD5 checksum: 2C079AD39C98F6D6EE41F37674FD894A
Filename: patchSG0004846
Algorithm #1 (sum -r): 62823 7 patchSG0004846
Algorithm #2 (sum): 15205 7 patchSG0004846
MD5 checksum: 3FD1F15E1049B60567936DD178615052
Filename: patchSG0004846.dev_sw
Algorithm #1 (sum -r): 54372 2915 patchSG0004846.dev_sw
Algorithm #2 (sum): 26322 2915 patchSG0004846.dev_sw
MD5 checksum: 81EB7CA9497F9A3B9F517E0AAC513C2C
Filename: patchSG0004846.eoe_sw
Algorithm #1 (sum -r): 57605 14590 patchSG0004846.eoe_sw
Algorithm #2 (sum): 20324 14590 patchSG0004846.eoe_sw
MD5 checksum: 7C8C11F425B9AFA3306A64CFD1C456DE
Filename: patchSG0004846.eoe_sw64
Algorithm #1 (sum -r): 47150 5597 patchSG0004846.eoe_sw64
Algorithm #2 (sum): 46479 5597 patchSG0004846.eoe_sw64
MD5 checksum: D9D3B4B3FEEC03E66A26C28F62873050
Filename: patchSG0004846.idb
Algorithm #1 (sum -r): 55346 9 patchSG0004846.idb
Algorithm #2 (sum): 24828 9 patchSG0004846.idb
MD5 checksum: 5CB936EAE37711BC192D278A6673D9FE
Filename: patchSG0004846.nfs_sw
Algorithm #1 (sum -r): 19473 115 patchSG0004846.nfs_sw
Algorithm #2 (sum): 45973 115 patchSG0004846.nfs_sw
MD5 checksum: 048B53C03E380E4A1370BC573078FBA2
- ------------------------
- --- Acknowledgments ----
- ------------------------
SGI wishes to thank CERT and the users of the Internet Community at large
for their assistance in this matter.
- -------------
- --- Links ---
- -------------
SGI Security Advisories can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/advisories/
SGI Security Patches can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/patches/
SGI patches for IRIX can be found at the following patch servers:
http://support.sgi.com/irix/ and ftp://patches.sgi.com/
SGI freeware updates for IRIX can be found at:
http://freeware.sgi.com/
SGI fixes for SGI open sourced code can be found on:
http://oss.sgi.com/projects/
SGI patches and RPMs for Linux can be found at:
http://support.sgi.com/linux/ or
http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/
SGI patches for Windows NT or 2000 can be found at:
http://support.sgi.com/nt/
IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:
http://support.sgi.com/irix/ and ftp://patches.sgi.com/support/patchset/
IRIX 6.5 Maintenance Release Streams can be found at:
http://support.sgi.com/colls/patches/tools/relstream/index.html
IRIX 6.5 Software Update CDs can be obtained from:
http://support.sgi.com/irix/swupdates/
The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211). Security advisories and patches are
located under the URL ftp://patches.sgi.com/support/free/security/
For security and patch management reasons, ftp.sgi.com (mirrors
patches.sgi.com security FTP repository) lags behind and does not do a
real-time update.
- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------
If there are questions about this document, email can be sent to
[email protected].
------oOo------
SGI provides security information and patches for use by the entire SGI
community. This information is freely available to any person needing the
information and is available via anonymous FTP and the Web.
The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211). Security advisories and patches are
located under the URL ftp://patches.sgi.com/support/free/security/
The SGI Security Headquarters Web page is accessible at the URL:
http://www.sgi.com/support/security/
For issues with the patches on the FTP sites, email can be sent to
[email protected].
For assistance obtaining or working with security patches, please
contact your SGI support provider.
------oOo------
SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email) all
SGI Security Advisories when they are released. Subscribing to the mailing
list can be done via the Web
(http://www.sgi.com/support/security/wiretap.html) or by sending email to
SGI as outlined below.
% mail [email protected]
subscribe wiretap <YourEmailAddress such as [email protected] >
end
^d
In the example above, <YourEmailAddress> is the email address that you wish
the mailing list information sent to. The word end must be on a separate
line to indicate the end of the body of the message. The control-d (^d) is
used to indicate to the mail program that you are finished composing the
mail message.
------oOo------
SGI provides a comprehensive customer World Wide Web site. This site is
located at http://www.sgi.com/support/security/ .
------oOo------
If there are general security questions on SGI systems, email can be sent to
[email protected].
For reporting *NEW* SGI security issues, email can be sent to
[email protected] or contact your SGI support provider. A support
contract is not required for submitting a security report.
______________________________________________________________________________
This information is provided freely to all interested parties
and may be redistributed provided that it is not altered in any
way, SGI is appropriately credited and the document retains and
includes its valid PGP signature.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBPcr58bQ4cFApAP75AQH6TAP8CJWPoJCSaAaqmsQ8pm7A+hekQoW62HQs
YtKImdiqCWmNQRZll6p5kMVYusnRl84UAgwkJM68Hu3kSVL7PyMtWbjE+L/eHfWC
7X+bgN3Id9x8ExLtmt0Qta/OmjuMzg8oigfI9PikAWrTjTArlR8SzHyOBGtA27eB
HTnj+yKw+OY=
=7lr/
-----END PGP SIGNATURE-----