ISS Advisory: Remote Buffer Overflow Vulnerability in IRIX Embedded Support Partner Infrastructure

[X-Force <xforce () iss net>]

-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Advisory
May 9, 2001

Remote Buffer Overflow Vulnerability in IRIX Embedded Support Partner 
Infrastructure  

Synopsis:

ISS X-Force has discovered a buffer overflow in the “rpc.espd” component
of the Embedded Support Partner (ESP) subsystem. ESP is installed and 
enabled by default on all current SGI IRIX installations.  

Impact:

There is a buffer overflow in “rpc.espd” that may allow remote attackers
to execute arbitrary commands on a vulnerable host. A local account is 
not required to exploit this vulnerability.

Affected Versions:

IRIX 6.5.5 – 6.5.8

Description:

ESP was developed by SGI to address the concerns of many system 
administrators who needed to manage large-scale SGI environments. ESP 
allows administrators better access to information regarding the state 
of all SGI devices on a network. It integrates and correlates system 
configuration management, event management, resource management, 
reporting, statistics generation and analysis as well as many other 
features.

ESP was first introduced in IRIX version 6.5.5. The ESP daemon, 
rpc.espd, contains a buffer overflow condition that may allow remote 
attackers to execute arbitrary commands with super user privileges on 
the target server. 


Recommendations:

SGI recommends immediately disabling rpc.espd to prevent exposure before
patches can be applied.  To disable rpc.espd:

1. Become the root user on the system.

                % /bin/su -
                Password:
                #

    
2. Change the permissions on the rpc.espd daemon.

                # /bin/chmod -x /usr/etc/rpc.espd

3. Restart inetd to kill any vulnerable running daemons.

                # /etc/killall -HUP inetd

4. Return to previous level.

                # exit
                %

SGI has made security patch 4123 available to address this 
vulnerability. SGI security patches can be found at: 
http://www.sgi.com/support/security.

ISS X-Force recommends that all unused daemons or services be disabled
to prevent exposure to both known and unknown vulnerabilities.

ISS’ SAFEsuite intrusion detection system, RealSecure, and network 
security assessment system, Internet Scanner, will have signatures 
available for this vulnerability in upcoming X-Press Updates.

Additional Information:

SGI Security Advisory, “IRIX Embedded Support Partner Buffer Overflow”: 
http://www.sgi.com/support/security/advisories.html
SGI Services and Support website:
http://www.sgi.com/support

SGI Services and Support, Security homepage:
http://www.sgi.com/support/security

The Common Vulnerabilities and Exposures (CVE) project has assigned the 
name CAN-2001-0331 to this issue. This is a candidate for inclusion in 
the CVE list (http://cve.mitre.org), which standardizes names for 
security problems. 

Credits:

This vulnerability was discovered and researched by Mark Dowd of ISS 
X-Force. Internet Security Systems would like to thank SGI for their 
response and handling of this vulnerability.

______

About Internet Security Systems (ISS) 
Internet Security Systems (ISS) is a leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite security software, remote managed security services, and 
strategic consulting and education offerings, ISS is a trusted security 
provider to its customers, protecting digital assets and ensuring safe 
and uninterrupted e-business. ISS' security management solutions protect
more than 5,500 customers worldwide including 21 of the 25 largest U.S.
commercial banks, 10 of the largest telecommunications companies and 
over 35 government agencies. Founded in 1994, ISS is headquartered in 
Atlanta, GA, with additional offices throughout North America and 
international operations in Asia, Australia, Europe, Latin America and
the Middle East. For more information, visit the Internet Security 
Systems web site at www.iss.net or call 888-901-7477.

Copyright (c) 2001 Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express 
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert in any other medium excluding electronic medium, please 
e-mail xforce () iss net for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in 
connection with the use or spread of this information. Any use of this
information is at the user's own risk.


X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
as well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force
xforce () iss net of Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOwErXTRfJiV99eG9AQHdSwP/Xir9QRH69YGZnZJuWJLXWg1vXGgA+z41
clDzwo0B8FJgRo+VVz0MWCoMZgCQGDFf3o0JG1l+FFpiLNBnyo6c3KZLEEYTXsT+
sZp7wju1JbJvKkmp5aemREIrgjAIaG/laUNHnPyRak2URaWYDWsLbimLoaCTVxh+
3ildktReFF8=
=/dxQ
-----END PGP SIGNATURE-----