-----BEGIN PGP SIGNED MESSAGE-----

________________________________________________________________________________
                Silicon Graphics Inc. Security Advisory

        Title:   Avalon Security Research - rpc.ypupdate slammer exploit
        Title:   CERT CA-95:17  rpc.ypupdated Vulnerability
        Number:  19951201-01-P
        Date:    December 12, 1995

________________________________________________________________________________

Silicon Graphics provides this information freely to the SGI community
for its consideration, interpretation and implementation.   Silicon Graphics
recommends that this information be acted upon as soon as possible. 

Silicon Graphics will not be liable for any consequential damages arising
from the use of, or failure to use or use properly, any of the instructions
or information in this Security Advisory.
________________________________________________________________________________


As first reported by Avalon Security Research, a vulnerability has 
been identified in the rpc.ypupdated and keyserv programs.   SGI does
not provide the keyserv program although there are manual pages 
referencing it.

Silicon Graphics has investigated this issue and recommends the following
steps for neutralizing the exposure.  It is HIGHLY RECOMMENDED that these
measures be done on ALL SGI systems running older versions of IRIX, namely
3.x, 4.x, 5.0.x, 5. .x, and 5.2.   As of version 5.3 of IRIX, this has 
already been done and no further action is required.


- --------------
- --- Impact ---
- --------------

Both local and remote users may be able to pass arbitrary commands 
to the rpc.ypupdate program.


- ----------------
- --- Solution ---
- ----------------

The solution for this issue is to deactivate the rpc.ypupdate program.
for any system especially those using NIS (Network Information System).


**** IRIX 3.x, 4.x, 5.0.x, 5.1.x, 5.2 ****

For the IRIX operating systems versions 3.x, 4.x, 5.0.x, 5.1.x, and 5.2,
the following steps are recommended for de-activating the rpc.ypupdate
service.

     1) Become the root user on the system.

                % /bin/su
                Password:
                #

     2) Check to see if the ypupdate service is enabled. If no
     entry is returned, the ypupdate service is currently disable
     but it is still prudent to continue with the steps below to 
     insure the ypupdate service is disabled in the appropriate way.


                # rpcinfo -p localhost | grep ypupdate
                100028        tcp    206  ypupdated
                # 


     3) Edit the file /usr/etc/inetd.conf (3.x and 4.x) or
     /etc/inetd.conf (5.0.x, 5.1.x, and 5.2). Place a "#" as 
     the first character of the ypupdate line to comment out 
     and deactivate the service.


                # vi  /usr/etc/inetd.conf

        {Find the following line}

  ypupdated/1 stream  rpc/tcp wait  root  /usr/etc/rpc.ypupdated  ypupdated

        {Place a "#" as the first character of the ypupdate line}

  #ypupdated/1 stream  rpc/tcp wait  root   /usr/etc/rpc.ypupdated  ypupdated

        {Save the file and exit}


     4) Force inetd to re-read the configuration file.

                # /etc/killall -HUP inetd


     5) Verify no ypupdate service is running.

                # rpcinfo -p localhost | grep ypupdate
                #


     6) Return to previous level.

                # exit
                $



**** IRIX 5.3, 6.0, 6.0.1, 6.1  ****

Beginning with IRIX 5.3, the rpc.ypupdate service was commented out
in the  etc inetd.conf file and a comment was added stating
that rpc.ypupdate was believed to be insecure.  No further action
is required, unless the leading "#" character commenting out the 
ypupdate service has been removed.  If it has removed then the same 
steps need to be taken as outlined in the above "**** IRIX 3.x, 
4.x, 5.0.x, 5. .x, 5.2 ****" section.


- -----------------------
- --- Acknowledgments ---
- -----------------------

Silicon Graphics wishes to thank Avalon Security Research and the 
CERT Coordination Center for their assistance in this matter.


- -----------------------------------------
- --- SGI Security Information Contacts ---
- -----------------------------------------

Past SGI Advisories and security patches can be obtained via 
anonymous FTP from sgigate.sgi.com .  These are provided freely
to all interested parties. 

For assistance obtaining or working with security patches, please 
contact your SGI support provider.

If there are questions about this document, email can be sent to
cse-security-alert@csd.sgi.com .

For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com or by contacting your SGI support provider.


-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUBMM4LPrQ4cFApAP75AQHMNwP+OgUaJHuFL9VrjmZdzIzyan9v6c2WIouR
uZ/y4rWCjbfF5Ie5xiEP9aWNW7eEwEsSn/FUaVTdXtS/zj4aNlkxxH5wfRC/28us
JIBiuGnFPswJNqbmFFVHRQZIJh1YWen78I8hCnfy5hUH0RoG5uTQzTT2RNlbEhCS
JkHqKEMuEdg=
=pSky
-----END PGP SIGNATURE-----