Bugtraq mailing list archives
SGI Security Advisory 19951101 - telnetd : UPDATE
From: agent99 () boytoy csd sgi com (SGI Security Coordinator)
Date: Fri, 17 Nov 1995 12:42:02 -0800
For public release. -----BEGIN PGP SIGNED MESSAGE----- ________________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: Telnetd vulnerability reported by MIT Title: CERT Advisory CA-95:14 - Telnetd Environment Vulnerability Number: 19951101-02-P1010o1020 Date: November 16, 1995 ________________________________________________________________________________ Silicon Graphics provides this information freely to the SGI community for its consideration, interpretation and implementation. Silicon Graphics recommends that this information be acted upon as soon as possible. Silicon Graphics will not be liable for any consequential damages arising from the use of, or failure to use or use properly, any of the instructions or information in this Security Advisory. ________________________________________________________________________________ - -------------- - --- UPDATE --- - -------------- In the original advisory, 19951101-01-P1010o1020, the patches 1010 and 1020 were indicated for the wrong versions of IRIX. Patch 1010 is for IRIX 6.1 and patch 1020 is for IRIX 5.2, 5.3, 6.0, 6.0.1 . The corrections have been made below. ________________________________________________________________________________ As first reported by the MIT Kerberos Development Team, potential exploits could be directed at telnet daemons that were RFC 1408 and/or RFC 1572 compliant. These RFCs are the defining documents for the "Telnet Environment Option" which provides the ability to transfer environment variables from one system to another when using the telnet program. Silicon Graphics has investigated this issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be done on ALL SGI systems running IRIX 5.2, 5.3, 6.0, 6.0.1 and 6.1. This issue will be corrected in future releases of IRIX. - -------------- - --- Impact --- - -------------- Both local and remote users may be able to become root on a targeted system. - ---------------- - --- Solution --- - ---------------- The solution for this issue is a replacement of the telnetd program for those versions that are vulnerable. The following patches have been generated for those versions vulnerable and freely provides them for the community. **** IRIX 3.x **** This version of IRIX is not vulnerable. No action is required. **** IRIX 4.x **** This version of IRIX is not vulnerable. No action is required. **** IRIX 5.0.x, 5.1.x **** For the IRIX operating systems versions 5.0.x, 5.1.x, an upgrade to 5.2 or better is required first. When the upgrade is completed, then the patches described in the next sections "**** IRIX 5.2, 5.3, 6.0, 6.0.1, 6.1 ***" or "**** IRIX 6.1 ****" can be applied. **** IRIX 5.2, 5.3, 6.0, 6.0.1 **** For the IRIX operating system versions 5.2, 5.3, 6.0, and 6.0.1, an inst-able patch has been generated and made available via anonymous ftp and/or your service/support provider. The patch is number 1020 and will install on IRIX 5.2, 5.3, 6.0 and 6.0.1 . The SGI anonymous ftp site is sgigate.sgi.com (204.94.209.1). Patch 1020 can be found in the following directories on the ftp server: ~ftp/Security or ~ftp/Patches/5.2 ~ftp/Patches/5.3 ~ftp/Patches/6.0 ~ftp/Patches/6.0.1 ##### Checksums #### The actual patch will be a tar file containing the following files: Filename: README.patch.1020 Algorithm #1 (sum -r): 31057 8 README.patch.1020 Algorithm #2 (sum): 40592 8 README.patch.1020 MD5 checksum: 02F06ECD6240015F8DF82A99EC01E911 Filename: patchSG0001020 Algorithm #1 (sum -r): 07232 2 patchSG0001020 Algorithm #2 (sum): 47310 2 patchSG0001020 MD5 checksum: DA2341626FAEB9D67BA85FA3465BA9D9 Filename: patchSG0001020.eoe1_sw Algorithm #1 (sum -r): 22449 62 patchSG0001020.eoe1_sw Algorithm #2 (sum): 36518 62 patchSG0001020.eoe1_sw MD5 checksum: 936019F2CC9AB6CAE0D2DF611D461475 Filename: patchSG0001020.eoe2_sw Algorithm #1 (sum -r): 29899 43 patchSG0001020.eoe2_sw Algorithm #2 (sum): 12088 43 patchSG0001020.eoe2_sw MD5 checksum: 19A9C0BCB6F178E7EDF86850A1CF81D1 Filename: patchSG0001020.idb Algorithm #1 (sum -r): 64615 2 patchSG0001020.idb Algorithm #2 (sum): 46761 2 patchSG0001020.idb MD5 checksum: 487831A62C61FEAF5797859CBC1F018C **** IRIX 6.1 **** For the IRIX operating system version 6.1, an inst-able patch has been generated and made available via anonymous ftp and/or your service/support provider. The patch is number 1010 and will install on IRIX 6.1 . The SGI anonymous ftp site is sgigate.sgi.com (204.94.209.1). Patch 1010 can be found in the following directories on the ftp server: ~ftp/Security or ~ftp/Patches/6.1 ##### Checksums #### The actual patch will be a tar file containing the following files: Filename: README.patch.1010 Algorithm #1 (sum -r): 43949 8 README.patch.1010 Algorithm #2 (sum): 38201 8 README.patch.1010 MD5 checksum: A8781E18A1F79716FBFE0B6E083DAB31 Filename: patchSG0001010 Algorithm #1 (sum -r): 08656 2 patchSG0001010 Algorithm #2 (sum): 45506 2 patchSG0001010 MD5 checksum: 34CF7F63073C225AD76150A4088E76AB Filename: patchSG0001010.eoe1_sw Algorithm #1 (sum -r): 12843 65 patchSG0001010.eoe1_sw Algorithm #2 (sum): 42034 65 patchSG0001010.eoe1_sw MD5 checksum: 82B8D375ECBF58A08286D393CE3980E7 Filename: patchSG0001010.eoe2_sw Algorithm #1 (sum -r): 01655 47 patchSG0001010.eoe2_sw Algorithm #2 (sum): 19507 47 patchSG0001010.eoe2_sw MD5 checksum: 1A5C5B5B84E0188A923C48419F716492 Filename: patchSG0001010.idb Algorithm #1 (sum -r): 31514 2 patchSG0001010.idb Algorithm #2 (sum): 46531 2 patchSG0001010.idb MD5 checksum: 9540492FEB00D41281AAF90AC3F67FA9 - ------------------------ - --- Acknowledgments --- - ------------------------ Silicon Graphics wishes to thank Sam Hartman of the MIT Kerberos Development Team, the MIT Kerberos Development Team and the CERT Coordination Center for their assistance in this matter. - ----------------------------------------- - --- SGI Security Information/Contacts --- - ----------------------------------------- Past SGI Advisories and security patches can be obtained via anonymous FTP from sgigate.sgi.com . These are provided freely to all interested parties. For assistance obtaining or working with security patches, please contact your SGI support provider. If there are questions about this document, email can be sent to cse-security-alert () csd sgi com . For reporting *NEW* SGI security issues, email can be sent to security-alert () sgi com or contacting your SGI support provider. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMKzzPbQ4cFApAP75AQEpRgP+N4lFRieTdfTUAEe+PXHxfy6uomFBjfsw GnSpJWRp0N875XY4wCH6TuOfKiOPixg0Tj/cEJ/th/jYwHvT8Hzps5IXFuGxvdfF FE1jcaw/u6yaKKVlUSDxjL8UvKv3Lvhb2dSn7Mn2X/g3KGwrImW7F4dBtlm0wNBw wp+Z0f7VHJc= =T7/W -----END PGP SIGNATURE-----
Current thread:
- Re: SunOS syslog() fix, finally..., (continued)
- Re: SunOS syslog() fix, finally... Casper Dik (Nov 04)
- Re: SunOS syslog() fix, finally... Scott Barman (Nov 08)
- Re: SunOS syslog() fix, finally... Jake Luck (Nov 09)
- Re: SunOS syslog() fix, finally... Casper Dik (Nov 10)
- Re: SunOS syslog() fix, finally... Jake Luck (Nov 10)
- Re: SunOS syslog() fix, finally... Casper Dik (Nov 13)
- Re: SunOS syslog() fix, finally... Brett Lymn (Nov 13)
- ufsrestore suid root not a security hole Sean Vickery (Nov 16)
- Re: SunOS syslog() fix, finally... Casper Dik (Nov 17)
- SGI Security Advisory 19951101 - telnetd SGI Security Coordinator (Nov 17)
- SGI Security Advisory 19951101 - telnetd : UPDATE SGI Security Coordinator (Nov 17)
- Re: SunOS syslog() fix, finally... Pug (Nov 10)
- Turning dynamic into static? Lawrence R. Rogers (Nov 09)
- Re: Does the shared lib bug work on any suid program ? Fred Blonder (Nov 03)
- Re: Does the shared lib bug work on any suid program ? John Capo (Nov 03)
- Re: Does the shared lib bug work on any suid program ? Justin Mason (Nov 06)
- Re: a point is being missed Scott Barman (Nov 03)
- Re: a point is being missed John Stewart (Nov 03)