=============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Henk Steenman Index : S-96-11 Distribution : World Page : 1 Classification: External Version: 1 Subject : SGI Sendmail update Date : 01-mar-96 =============================================================================== By courtesy of Silicon Graphics Inc. we received information on a vulnerability in Sendmail on all SGI systems running IRIX 3.x, 4.x, 5.x and 6.x. CERT-NL recommends to take the apropriate measures described below to neutralize the possible exploitation of this vulnerability CERT-NL does NOT YET mirror SGI patches on the SURFnet infoserver. ============================================================================== ______________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: Sendmail update for CERT Advisory CA-96.04 Title: Corrupt Information from Network Servers Number: 19960203-01-P1146 Date: February 27, 1996 ______________________________________________________________________________ Silicon Graphics provides this information freely to the SGI user community for its consideration, interpretation, implementation and use. Silicon Graphics recommends that this information be acted upon as soon as possible. Silicon Graphics will not be liable for any indirect, special, or consequential damages arising from the use of, failure to use or improper use of any of the instructions or information in this Security Advisory. ______________________________________________________________________________ As a followup to the CERT Advisory CA-96.04 ("Corrupt Information from Network Servers"), SGI recommends the following steps for neutralizing the possible means of exploit. It is HIGHLY RECOMMENDED that these measures be done on ALL SGI systems running IRIX 3.x, 4.x, 5.x and 6.x. The issue will be permanently corrected in a future release of IRIX. - - - -------------- - - - --- Impact --- - - - -------------- Dependant on system configuration, network topology and other factors, exploitation of this vulnerability could possibly allow remote access by unauthorized users. This could possibly lead to elevated privilege access including root by both local and remote users. - - - ---------------- - - - --- Solution --- - - - ---------------- **** IRIX 3.x **** Silicon Graphics Inc, no longer supports the IRIX 3.x operating system and therefore has no patches or binaries to provide. However, two possible actions still remain: 1) upgrade the system to a supported version of IRIX (see below) and then install the patch or 2) obtain the sendmail source code from anonymous FTP at ftp.cs.berkeley.edu and compile the program manually. Please, note that SGI will not assist with or support 3rd party sendmail programs. **** IRIX 4.x **** As of the date of this document, SGI does not have a IRIX 4.x binary replacement that addresses this particular issue. If in the future, a replacement binary is generated, additional advisory information will be provided. However, two other possible actions are: 1) upgrade the system to a supported version of IRIX (see below) and then install the patch or 2) obtain the sendmail source code from anonymous FTP at ftp.cs.berkeley.edu and compile the program manually. Please, note that SGI will not assist with or support 3rd party sendmail programs. **** IRIX 5.0.x, 5.1.x **** For the IRIX operating systems versions 5.0.x and 5.1.x, an upgrade to 5.2 or better is required first. When the upgrade is completed, then the patches described in the following sections can be applied depending on the final version of the upgrade. **** IRIX 5.2, 5.3, 6.0, 6.0.1, 6.1 **** For the IRIX operating system versions 5.2, 5.3, 6.0, 6.0.1, and 6.1 an inst-able patch has been generated and made available via anonymous FTP and your service/support provider. The patch is number 1146 and will install on IRIX 5.2, 5.3, 6.0 and 6.0.1. The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its mirror, ftp.sgi.com. Patch 1146 can be found in the following directories on the FTP server: ~ftp/Security or ~ftp/Patches/5.2 ~ftp/Patches/5.3 ~ftp/Patches/6.0 ~ftp/Patches/6.0.1 ~ftp/Patches/6.1 ##### Checksums #### The actual patch will be a tar file containing the following files: Filename: patchSG0001146 Algorithm #1 (sum -r): 15709 3 patchSG0001146 Algorithm #2 (sum): 16842 3 patchSG0001146 MD5 checksum: 055B660E1D5C1E38BC3128ADE7FC9A95 Filename: patchSG0001146.eoe1_man Algorithm #1 (sum -r): 26276 76 patchSG0001146.eoe1_man Algorithm #2 (sum): 1567 76 patchSG0001146.eoe1_man MD5 checksum: 883BC696F0A57B47F1CBAFA74BF53E81 Filename: patchSG0001146.eoe1_sw Algorithm #1 (sum -r): 61872 382 patchSG0001146.eoe1_sw Algorithm #2 (sum): 42032 382 patchSG0001146.eoe1_sw MD5 checksum: 412AB1A279A030192EA2A082CBA0D6E7 Filename: patchSG0001146.idb Algorithm #1 (sum -r): 39588 4 patchSG0001146.idb Algorithm #2 (sum): 10621 4 patchSG0001146.idb MD5 checksum: 259DD47E4574DAF9041675D64C39102E - - - ----------------------- - - - --- Acknowledgments --- - - - ----------------------- Silicon Graphics wishes to thank the CERT Coordination Center, Eric Allman of Pangaea Reference Systems, Eric Halil of AUSCERT, Wolfgang Ley of DFN-CERT, Andrew Gross of San Diego Supercomputer Center, and Paul Vixie for their assistance in this issue. - - - ----------------------------------------- - - - --- SGI Security Information/Contacts --- - - - ----------------------------------------- Past SGI Advisories and security patches can be obtained via anonymous FTP from sgigate.sgi.com or its mirror, ftp.sgi.com. These security patches and advisories are provided freely to all interested parties. For issues with the patches on the FTP sites, email can be sent to cse-security-alert@csd.sgi.com. For assistance obtaining or working with security patches, please contact your SGI support provider. If there are questions about this document, email can be sent to cse-security-alert@csd.sgi.com. For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com or contact your SGI support provider. A support contract is not required for submitting a security report ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl Phone: +31 302 305 305 Fax: +31 302 305 329 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST members on request. ============================================================================== -----BEGIN PGP MESSAGE----- Version: 2.6.2i iQCVAwUAMTcrIGL2fnkJN/jpAQHkGQP9E+JcPha00fd6q5iMH8j1OM0AjJhVqQe2 g3YTjCH8SaHNDSxl1zhH9+XYIQ1jQzX2wBIZLRYPhn6WG7yY3MLGTSpM4BSVYkLS LCcFlprEp4PyN7j6QPoiqrZRlIKGhHZgspsRfrXfD9PrC12W5KXwvQbc4vr6Rxvh h8K0NtMt9Xk= =QaNm -----END PGP MESSAGE-----