************************************************************************** Security Bulletin 9512 DISA Defense Communications System March 9, 1995 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9510). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DDN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= CERT Vendor-Initiated Bulletin VB-95:02 March 8, 1995 Topic: IRIX 5.2, 6.0, 6.0.1 Desktop Permissions Tool Source: Silicon Graphics Inc. To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from Silicon Graphics Inc. (SGI). SGI urges you to act on this information as soon as possible. SGI contact information is included in the forwarded text below; please contact them if you have any questions or need further information. ========================FORWARDED TEXT STARTS HERE============================ _______________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: IRIX 5.2, 6.0, 6.0.1 Desktop Permissions Tool Number: 19950301-01-P373 Date: March 3, 1995 _______________________________________________________________________________ Silicon Graphics provides this information freely to the SGI community for its consideration, interpretation and implementation. Silicon Graphics recommends that this information be acted upon as soon as possible. Silicon Graphics will not be liable for any consequential damages arising from the use of, or failure to use or use properly, any of the instructions or information in this Security Advisory. _______________________________________________________________________________ A vulnerability has been discovered in the IRIX 5.2, 6.0, and 6.0.1 operating systems regarding the permissions tool under the IRIX desktop environment. Normally, this tool is used by users to modify the permissions on their files and files they are privileged for. Under certain conditions, a user may be able to modify the permissions for any file. This is identified as SGI SCR # 265071. SGI Engineering has investigated this issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be done on ALL SGI systems running IRIX 5.2, 6.0, and 6.0.1 . This issue is corrected in 5.3 of IRIX and will be corrected in future releases of IRIX. - -------------------------- - --- Immediate Solution --- - -------------------------- The most immediate solution for this issue is to remove the setuid/setgid bits on /usr/lib/permissions, or to remove the tool entirely. Removing the setuid/setgid bits will limit the tool to only function on files owned by the user using the tool. 1) Become the root user on the system. % /bin/su - Password: # 2) Change the unix permissions level on the desktop permissions program. # chmod u-s /usr/lib/desktop/permissions # chmod g-s /usr/lib/desktop/permissions 3) Return to previous user. # exit % - -------------------------- - --- Long Term Solution --- - -------------------------- *** IRIX 5.0.x, 5.1.x **** The versions 5.0.x and 5.1.x of IRIX were limited hardware, specific releases and have since been obsoleted by later versions of IRIX. For supportability reasons, upgrading to at least IRIX 5.2 is recommended as a first step for all problem resolution. IRIX 5.0.x, 5.1.x ARE NOT subject to this vulnerability. **** IRIX 5.2, 6.0, 6.0.1 **** >>>> IRIX 5.3 IS NOT SUBJECT TO THIS VULNERABILITY. <<<< For the IRIX operating system versions 5.2, 6.0 and 6.0.1, an inst-able patch has been generated and made available via anonymous ftp and/or your service/support provider. The patch is number 373 and will install on IRIX 5.2, 6.0 and 6.0.1 . - -NOTE- Inst-able patches require a patch-aware inst program. The stock 5.2 inst program with the base install is not patch-aware. The 6.0 and 6.0.1 inst programs are. A patch-aware inst program for IRIX 5.2 is available as patch number 0, 34, or 84. Any one of these may be used, with 84 the latest, most recommended, and available via your service provider or the usual SGI anonymous ftp sites. The SGI anonymous ftp site is ftp.sgi.com (192.48.153.1). Additionally, the alternative SGI anonymous ftp site, sgigate.sgi.com, can be accessed to find the same files. On each of these servers, patch 373 can be found in the following directories: ~ftp/Security or ~ftp/Patches/5.2 ~ftp/Patches/6.0 ~ftp/Patches/6.0.1 ##### Checksums #### The actual patch will be a tar file containing the following files: Filename: patchSG0000373 Algorithm #1 (sum -r): 51249 1 patchSG0000373 Algorithm #2 (sum): 21641 1 patchSG0000373 MD5 checksum: 40A604013A05C2521152ED4B51C5D9A5 Filename: patchSG0000373.desktop_eoe_sw Algorithm #1 (sum -r): 09134 88 patchSG0000373.desktop_eoe_sw Algorithm #2 (sum): 63013 88 patchSG0000373.desktop_eoe_sw MD5 checksum: D74F9BDED3D51E9D28666CADF1B31945 Filename: patchSG0000373.idb Algorithm #1 (sum -r): 50435 1 patchSG0000373.idb Algorithm #2 (sum): 41363 1 patchSG0000373.idb MD5 checksum: 790E9A47909BC32D8E9FCE14EA4077D8 - ------------------------------------ - --- Further Information/Contacts --- - ------------------------------------ For obtaining security information, patches or assistance, please contact your SGI support provider. If there are questions about this document, email can be sent to cse-security-alert@csd.sgi.com . For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com . =========================FORWARDED TEXT ENDS HERE============================= CERT bulletins, CERT advisories, information about FIRST representatives, and other information related to computer security are available for anonymous FTP from info.cert.org. CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce. If you would like to have future advisories and bulletins mailed to you or to a mail exploder at your site, please send mail to cert-advisory-request@cert.org. If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise that the e-mail be encrypted. The CERT Coordination Center can support a shared DES key, PGP (public key available via anonymous FTP on info.cert.org), or PEM (contact CERT staff for details). Internet E-mail: cert@cert.org Telephone: +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax: +1 412-268-6989 CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 USA CERT is a service mark of Carnegie Mellon University. **************************************************************************** * * * The point of contact for MILNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DDN Security bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.