Date: Tue, 15 May 2001 09:13:51 -0400
From: X-Force <[email protected]>
To: [email protected]Subject: ISS Advisory: Remote Buffer Overflow Vulnerability in IRIX Embedded Support Partner Infrastructure
-----BEGIN PGP SIGNED MESSAGE-----
Internet Security Systems Security Advisory
May 9, 2001
Remote Buffer Overflow Vulnerability in IRIX Embedded Support Partner
Infrastructure
Synopsis:
ISS X-Force has discovered a buffer overflow in the “rpc.espd” component
of the Embedded Support Partner (ESP) subsystem. ESP is installed and
enabled by default on all current SGI IRIX installations.
Impact:
There is a buffer overflow in “rpc.espd” that may allow remote attackers
to execute arbitrary commands on a vulnerable host. A local account is
not required to exploit this vulnerability.
Affected Versions:
IRIX 6.5.5 – 6.5.8
Description:
ESP was developed by SGI to address the concerns of many system
administrators who needed to manage large-scale SGI environments. ESP
allows administrators better access to information regarding the state
of all SGI devices on a network. It integrates and correlates system
configuration management, event management, resource management,
reporting, statistics generation and analysis as well as many other
features.
ESP was first introduced in IRIX version 6.5.5. The ESP daemon,
rpc.espd, contains a buffer overflow condition that may allow remote
attackers to execute arbitrary commands with super user privileges on
the target server.
Recommendations:
SGI recommends immediately disabling rpc.espd to prevent exposure before
patches can be applied. To disable rpc.espd:
1. Become the root user on the system.
% /bin/su -
Password:
#
2. Change the permissions on the rpc.espd daemon.
# /bin/chmod -x /usr/etc/rpc.espd
3. Restart inetd to kill any vulnerable running daemons.
# /etc/killall -HUP inetd
4. Return to previous level.
# exit
%
SGI has made security patch 4123 available to address this
vulnerability. SGI security patches can be found at:
http://www.sgi.com/support/security.
ISS X-Force recommends that all unused daemons or services be disabled
to prevent exposure to both known and unknown vulnerabilities.
ISS’ SAFEsuite intrusion detection system, RealSecure, and network
security assessment system, Internet Scanner, will have signatures
available for this vulnerability in upcoming X-Press Updates.
Additional Information:
SGI Security Advisory, “IRIX Embedded Support Partner Buffer Overflow”:
http://www.sgi.com/support/security/advisories.html
SGI Services and Support website:
http://www.sgi.com/support
SGI Services and Support, Security homepage:
http://www.sgi.com/support/security
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2001-0331 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
Credits:
This vulnerability was discovered and researched by Mark Dowd of ISS
X-Force. Internet Security Systems would like to thank SGI for their
response and handling of this vulnerability.
______
About Internet Security Systems (ISS)
Internet Security Systems (ISS) is a leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite security software, remote managed security services, and
strategic consulting and education offerings, ISS is a trusted security
provider to its customers, protecting digital assets and ensuring safe
and uninterrupted e-business. ISS' security management solutions protect
more than 5,500 customers worldwide including 21 of the 25 largest U.S.
commercial banks, 10 of the largest telecommunications companies and
over 35 government agencies. Founded in 1994, ISS is headquartered in
Atlanta, GA, with additional offices throughout North America and
international operations in Asia, Australia, Europe, Latin America and
the Middle East. For more information, visit the Internet Security
Systems web site at www.iss.net or call 888-901-7477.
Copyright (c) 2001 Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert in any other medium excluding electronic medium, please
e-mail [email protected] for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
as well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force
[email protected] of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBOwErXTRfJiV99eG9AQHdSwP/Xir9QRH69YGZnZJuWJLXWg1vXGgA+z41
clDzwo0B8FJgRo+VVz0MWCoMZgCQGDFf3o0JG1l+FFpiLNBnyo6c3KZLEEYTXsT+
sZp7wju1JbJvKkmp5aemREIrgjAIaG/laUNHnPyRak2URaWYDWsLbimLoaCTVxh+
3ildktReFF8=
=/dxQ
-----END PGP SIGNATURE-----