Bugtraq mailing list archives

SGI Security Advisory 19961102 - FLEXlm and LicenseManager

From: agent99 () boytoy csd sgi com (SGI Security Coordinator)
Date: Thu, 21 Nov 1996 13:51:18 -0800

DISTRIBUTION RESTRICTIONS -    NONE : FOR PUBLIC RELEASE




-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________
                Silicon Graphics Inc. Security Advisory

        Title:   FLEXlm and LicenseManager security vulnerabilities
        Title:   AUSCERT Advisory AA-96.03
        Number:  19961102-01-PX
        Date:    November 21, 1996
______________________________________________________________________________

Silicon Graphics provides this information freely to the SGI user community
for its consideration, interpretation, implementation and use.   Silicon
Graphics recommends that this information be acted upon as soon as possible.

Silicon Graphics  will  not  be  liable  for any  indirect, special, or
consequential damages arising from the use of, failure to use or improper
use of any of the instructions or information in this Security Advisory.
______________________________________________________________________________


Recently, a root compromise security issue with the LicenseManager program
was publicly announced.   Additionally, the Australian Computer Emergency
Response Team (AUSCERT) released an advisory (AA-96.03) on the related
FLEXlm licensing subsystem.

Silicon Graphics Inc. has investigated these issues and recommends the
following steps for neutralizing exposure.  It is HIGHLY RECOMMENDED
that these measures be implemented on ALL SGI systems running IRIX versions
5.0.x, 5.1.x, 5.2, 5.3, 6.0.x, 6.1, 6.2 and 6.3.  This issue will be
corrected in future releases of IRIX.


- --------------
- --- Impact ---
- --------------


The purpose of the LicenseManager program and the FLEXlm license subsystem
is for software licensing.

For both security issues, a root compromise is possible.

An account on the vulnerable system is required for exploit.  With an
account, these vulnerabilities are exploitable by both local and remote
access.

Exploit information for these vulnerabilities has been publicly and
widely distributed.



- ----------------
- --- Solution ---
- ----------------

The solution to this problem is to install version 3.0 of the the License
Tools, license_eoe subsystem.

To determine the version of License Tools installed on a particular
system, the following command can be used:


   % versions license_eoe

   I = Installed, R = Removed

   Name                 Date      Description

   I  license_eoe          02/13/96  License Tools 1.0
   I  license_eoe.man      02/13/96  License Tools 1.0 Manual Pages
   I  license_eoe.man.license_eoe  02/13/96  License Tools 1.0 Manual Pages
   I  license_eoe.man.relnotes  02/13/96  License Tools 1.0 Release Notes
   I  license_eoe.sw       02/13/96  License Tools 1.0 Software
   I  license_eoe.sw.license_eoe  02/13/96  License Tools 1.0 Software



In the above case, version 1.0 of the License Tools is installed and the
steps below should be performed.  If the output returned indicates
"License Tools 3.0," the latest license subsystem is installed and no
further action is required.




**** IRIX 4.x ****

The 4.x version of IRIX is not vulnerable as no license manager
subsystems were released for this IRIX version.  No action is
required.



**** IRIX 5.0.x, 5.1.x, 5.2 ****

The 5.0.x, 5.1.x and 5.2 versions of IRIX are not vulnerable as no
license manager subsystems were released for these IRIX versions.
No action is required.



**** IRIX 5.3 ****

For the IRIX operating system version 5.3 an inst-able new version
of software has been generated and made available via anonymous FTP
and your service/support provider.  The software is version 3.0 of
the License Tools, license_eoe subsystem and will install on IRIX 5.3
only.

The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its
mirror, ftp.sgi.com.   Software is referred to as License5.3.tar and
can be found in the following directories on the FTP server:

        ~ftp/Security

                or

        ~ftp/Patches/5.3

                        ##### Checksums ####

The actual software will be a tar file containing the following files:


Filename:                 license_eoe
Algorithm #1 (sum -r):    01409 7 license_eoe
Algorithm #2 (sum):       56955 7 license_eoe
MD5 checksum:             38232F3DE67373875577B167B2DA2DA3

Filename:                 license_eoe.books
Algorithm #1 (sum -r):    33405 809 license_eoe.books
Algorithm #2 (sum):       53177 809 license_eoe.books
MD5 checksum:             D1D931936AB681A7B259BD75DCA6D7F9

Filename:                 license_eoe.idb
Algorithm #1 (sum -r):    59742 54 license_eoe.idb
Algorithm #2 (sum):       32839 54 license_eoe.idb
MD5 checksum:             4F7EE6965539FCFEEDE07E3FFD71CF5A

Filename:                 license_eoe.man
Algorithm #1 (sum -r):    58166 271 license_eoe.man
Algorithm #2 (sum):       23426 271 license_eoe.man
MD5 checksum:             41946D8E27032A929350B2C27D065DE5

Filename:                 license_eoe.sw
Algorithm #1 (sum -r):    29827 7692 license_eoe.sw
Algorithm #2 (sum):       52617 7692 license_eoe.sw
MD5 checksum:             720EF1907DD0C3113CB4A98AD602010B



**** IRIX 6.0, 6.0.1 *****

The 6.0.x versions of IRIX are not vulnerable as no license manager
subsystems were released for these IRIX versions.  No action is required.



**** IRIX 6.1 ****

The license manager software provided with IRIX 6.1 is version
1.0 of the License Tools, license_eoe subsystem for IRIX 6.1.   This
version is not vulnerable to these security issues.

However, if an upgrade of the License Tools, license_eoe subsystem
was done (see above section on determining version installed with
versions command), then a security vulnerability might exist.
In order to remove this vulnerability, either a downgrade to
version 1.0 of the License Tools, license_eoe subsystem is
required or upgrade the entire IRIX version to 6.2 and apply
the version 3.0 of the License Tools, license_eoe subsystem.



**** IRIX 6.2 ****

For the IRIX operating system version 6.2 an inst-able new version
of software has been generated and made available via anonymous FTP
and your service/support provider.  The software is version 3.0 of
the License Tools, license_eoe subsystem and will install on IRIX 6.2
only.

The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its
mirror, ftp.sgi.com.   Software is referred to as License6.2.tar and
can be found in the following directories on the FTP server:

        ~ftp/Security

                or

        ~ftp/Patches/6.2

                        ##### Checksums ####

The actual software will be a tar file containing the following files:


Filename:                 license_eoe
Algorithm #1 (sum -r):    53638 7 license_eoe
Algorithm #2 (sum):       7547 7 license_eoe
MD5 checksum:             05A65EE03BEE71A464D4B7AB9962F228

Filename:                 license_eoe.books
Algorithm #1 (sum -r):    03494 907 license_eoe.books
Algorithm #2 (sum):       25664 907 license_eoe.books
MD5 checksum:             AE86ED7D3C36F67C2505C06C41FCD174

Filename:                 license_eoe.idb
Algorithm #1 (sum -r):    15441 58 license_eoe.idb
Algorithm #2 (sum):       59702 58 license_eoe.idb
MD5 checksum:             811CD48FA5BD57E79B4D36839185EED9

Filename:                 license_eoe.man
Algorithm #1 (sum -r):    63961 271 license_eoe.man
Algorithm #2 (sum):       25496 271 license_eoe.man
MD5 checksum:             3086F992150A673C5110CCC16E20CA96

Filename:                 license_eoe.sw
Algorithm #1 (sum -r):    05953 7483 license_eoe.sw
Algorithm #2 (sum):       33599 7483 license_eoe.sw
MD5 checksum:             BE52C7C2CCDAB2B491F6FA0412E4A66D



**** IRIX 6.3 ****

The license manager softwares provided with this version of
IRIX are not vulnerable to these security issues.



- ------------------------
- --- Acknowledgments ---
- ------------------------


Silicon Graphics wishes to thank the AUSCERT group for their
cooperation in this matter.



- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------

If there are questions about this document, email can be sent to
cse-security-alert () csd sgi com.

                      ------oOo------

Silicon Graphics provides security information and patches for
use by the entire SGI community.  This information is freely
available to any person needing the information and is available
via anonymous FTP and the Web.

The primary SGI anonymous FTP site for security information and patches
is sgigate.sgi.com (204.94.209.1).  Security information and patches
are located under the directories ~ftp/security and ~ftp/patches,
respectively. The Silicon Graphics Security Headquarters Web page is
accessible at the URL http://www.sgi.com/Support/Secur/security.html.

For issues with the patches on the FTP sites, email can be sent to
cse-security-alert () csd sgi com.

For assistance obtaining or working with security patches, please
contact your SGI support provider.

                      ------oOo------

Silicon Graphics provides a free security mailing list service
called wiretap and encourages interested parties to self-subscribe
to receive (via email) all SGI Security Advisories when they are
released. Subscribing to the mailing list can be done via the Web
(http://www.sgi.com/Support/Secur/wiretap.html) or by sending email
to SGI as outlined below.

% mail wiretap-request () sgi com
subscribe wiretap <YourEmailAddress>
end
^d

In the example above, <YourEmailAddress> is the email address that you
wish the mailing list information sent to.  The word end must be on a
separate line to indicate the end of the body of the message. The
control-d (^d) is used to indicate to the mail program that you are
finished composing the mail message.


                      ------oOo------

Silicon Graphics provides a comprehensive customer World Wide Web site.
This site is located at http://www.sgi.com/Support/Secur/security.html.

                      ------oOo------

For reporting *NEW* SGI security issues, email can be sent to
security-alert () sgi com or contact your SGI support provider.  A
support contract is not required for submitting a security report.



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMpTOMrQ4cFApAP75AQEKUQQAn9c21R2lh2zNUtBPIA+6Kv6IDYXoYmQT
7772rqmZlyU9F9YZYTqihy2tHgKyVYo7SFHSfWuKckiU35Bz6bc2FS+KEFez0rWG
CYZA6FBckJtQnnDFG0cCqT/5+XlNqCvRVlB4WN6kQlOWD0jA0BboihpRQZWVmj0+
TmTr/+Nrd3Y=
=4Ilz
-----END PGP SIGNATURE-----
Current thread:

Re: BoS: Magic password of some linux-box(Hardware..) Brian F. Knoll (Nov 20)
- Re: BoS: Magic password of some linux-box(Hardware..) Roger Moar (Nov 21)
- BoS: Magic password of some linux-box(Hardware..) (fwd) sameer (Nov 21)
- SGI Security Advisory 19961102 - FLEXlm and LicenseManager SGI Security Coordinator (Nov 21)
- SGI Security Advisory 19961103 - Sendmail Daemon Mode SGI Security Coordinator (Nov 21)
- CERT Advisory CA-96.24 - Sendmail Daemon Mode Vulnerability CERT Advisory (Nov 21)
- L0pht Kerberos Advisory sameer (Nov 22)
- <Possible follow-ups>
- Re: BoS: Magic password of some linux-box(Hardware..) Eugene Bradley (Nov 20)