SGI Security Advisory 19951101 - telnetd : UPDATE

[agent99 () boytoy csd sgi com (SGI Security Coordinator)]

For public release.


-----BEGIN PGP SIGNED MESSAGE-----

________________________________________________________________________________
                Silicon Graphics Inc. Security Advisory

        Title:   Telnetd vulnerability reported by MIT
        Title:   CERT Advisory CA-95:14 - Telnetd Environment Vulnerability
        Number:  19951101-02-P1010o1020
        Date:    November 16, 1995

________________________________________________________________________________

Silicon Graphics provides this information freely to the SGI community
for its consideration, interpretation and implementation.   Silicon Graphics
recommends that this information be acted upon as soon as possible.

Silicon Graphics will not be liable for any consequential damages arising
from the use of, or failure to use or use properly, any of the instructions
or information in this Security Advisory.
________________________________________________________________________________

- --------------
- --- UPDATE ---
- --------------

In the original advisory, 19951101-01-P1010o1020, the patches 1010 and
1020 were indicated for the wrong versions of IRIX.  Patch 1010 is for
IRIX 6.1 and patch 1020 is for IRIX 5.2, 5.3, 6.0, 6.0.1 .   The
corrections have been made below.

________________________________________________________________________________


As first reported by the MIT Kerberos Development Team, potential
exploits could be directed at telnet daemons that were RFC 1408 and/or
RFC 1572 compliant.  These RFCs are the defining documents for the
"Telnet Environment Option" which provides the ability to transfer
environment variables from one system to another when using the telnet
program.

Silicon Graphics has investigated this issue and recommends the following
steps for neutralizing the exposure.  It is HIGHLY RECOMMENDED that these
measures be done on ALL SGI systems running IRIX 5.2, 5.3, 6.0, 6.0.1
and 6.1.  This issue will be corrected in future releases of IRIX.



- --------------
- --- Impact ---
- --------------

Both local and remote users may be able to become root on a targeted
system.


- ----------------
- --- Solution ---
- ----------------

The solution for this issue is a replacement of the telnetd program
for those versions that are vulnerable.  The following patches have
been generated for those versions vulnerable and freely provides them
for the community.



**** IRIX 3.x ****

This version of IRIX is not vulnerable.  No action is required.


**** IRIX 4.x ****

This version of IRIX is not vulnerable.  No action is required.


**** IRIX 5.0.x, 5.1.x ****

For the IRIX operating systems versions 5.0.x, 5.1.x, an upgrade
to 5.2 or better is required first.  When the upgrade is completed,
then the patches described in the next sections "**** IRIX 5.2, 5.3, 6.0,
6.0.1, 6.1 ***"  or "**** IRIX 6.1 ****" can be applied.


**** IRIX 5.2, 5.3, 6.0, 6.0.1 ****

For the IRIX operating system versions 5.2, 5.3, 6.0, and 6.0.1,
an inst-able patch has been generated and made available via anonymous
ftp and/or your service/support provider.  The patch is number 1020
and will install on IRIX 5.2, 5.3, 6.0 and 6.0.1 .

The SGI anonymous ftp site is sgigate.sgi.com (204.94.209.1).   Patch
1020 can be found in the following directories on the ftp server:

        ~ftp/Security

                or

        ~ftp/Patches/5.2
        ~ftp/Patches/5.3
        ~ftp/Patches/6.0
        ~ftp/Patches/6.0.1

                        ##### Checksums ####

The actual patch will be a tar file containing the following files:

Filename:                 README.patch.1020
Algorithm #1 (sum -r):    31057 8 README.patch.1020
Algorithm #2 (sum):       40592 8 README.patch.1020
MD5 checksum:             02F06ECD6240015F8DF82A99EC01E911

Filename:                 patchSG0001020
Algorithm #1 (sum -r):    07232 2 patchSG0001020
Algorithm #2 (sum):       47310 2 patchSG0001020
MD5 checksum:             DA2341626FAEB9D67BA85FA3465BA9D9

Filename:                 patchSG0001020.eoe1_sw
Algorithm #1 (sum -r):    22449 62 patchSG0001020.eoe1_sw
Algorithm #2 (sum):       36518 62 patchSG0001020.eoe1_sw
MD5 checksum:             936019F2CC9AB6CAE0D2DF611D461475

Filename:                 patchSG0001020.eoe2_sw
Algorithm #1 (sum -r):    29899 43 patchSG0001020.eoe2_sw
Algorithm #2 (sum):       12088 43 patchSG0001020.eoe2_sw
MD5 checksum:             19A9C0BCB6F178E7EDF86850A1CF81D1

Filename:                 patchSG0001020.idb
Algorithm #1 (sum -r):    64615 2 patchSG0001020.idb
Algorithm #2 (sum):       46761 2 patchSG0001020.idb
MD5 checksum:             487831A62C61FEAF5797859CBC1F018C



**** IRIX 6.1 ****

For the IRIX operating system version 6.1, an inst-able patch has
been generated and made available via anonymous ftp and/or your
service/support provider.  The patch is number 1010 and will
install on IRIX 6.1 .

The SGI anonymous ftp site is sgigate.sgi.com (204.94.209.1).   Patch
1010 can be found in the following directories on the ftp server:

        ~ftp/Security

                or

        ~ftp/Patches/6.1

                        ##### Checksums ####

The actual patch will be a tar file containing the following files:

Filename:                 README.patch.1010
Algorithm #1 (sum -r):    43949 8 README.patch.1010
Algorithm #2 (sum):       38201 8 README.patch.1010
MD5 checksum:             A8781E18A1F79716FBFE0B6E083DAB31

Filename:                 patchSG0001010
Algorithm #1 (sum -r):    08656 2 patchSG0001010
Algorithm #2 (sum):       45506 2 patchSG0001010
MD5 checksum:             34CF7F63073C225AD76150A4088E76AB

Filename:                 patchSG0001010.eoe1_sw
Algorithm #1 (sum -r):    12843 65 patchSG0001010.eoe1_sw
Algorithm #2 (sum):       42034 65 patchSG0001010.eoe1_sw
MD5 checksum:             82B8D375ECBF58A08286D393CE3980E7

Filename:                 patchSG0001010.eoe2_sw
Algorithm #1 (sum -r):    01655 47 patchSG0001010.eoe2_sw
Algorithm #2 (sum):       19507 47 patchSG0001010.eoe2_sw
MD5 checksum:             1A5C5B5B84E0188A923C48419F716492

Filename:                 patchSG0001010.idb
Algorithm #1 (sum -r):    31514 2 patchSG0001010.idb
Algorithm #2 (sum):       46531 2 patchSG0001010.idb
MD5 checksum:             9540492FEB00D41281AAF90AC3F67FA9



- ------------------------
- --- Acknowledgments ---
- ------------------------

Silicon Graphics wishes to thank Sam Hartman of the MIT Kerberos
Development Team, the MIT Kerberos Development Team and the CERT
Coordination Center for their assistance in this matter.


- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------

Past SGI Advisories and security patches can be obtained via
anonymous FTP from sgigate.sgi.com .  These are provided freely
to all interested parties.

For assistance obtaining or working with security patches, please
contact your SGI support provider.

If there are questions about this document, email can be sent to
cse-security-alert () csd sgi com .

For reporting *NEW* SGI security issues, email can be sent to
security-alert () sgi com or contacting your SGI support provider.


-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUBMKzzPbQ4cFApAP75AQEpRgP+N4lFRieTdfTUAEe+PXHxfy6uomFBjfsw
GnSpJWRp0N875XY4wCH6TuOfKiOPixg0Tj/cEJ/th/jYwHvT8Hzps5IXFuGxvdfF
FE1jcaw/u6yaKKVlUSDxjL8UvKv3Lvhb2dSn7Mn2X/g3KGwrImW7F4dBtlm0wNBw
wp+Z0f7VHJc=
=T7/W
-----END PGP SIGNATURE-----