S-00-08.htm
a19b93b4a3a38999425725d04cad148f202b9a169eb2929abc9d5502aaf77e8e<html>
<head>
<meta name="GENERATOR" content="Microsoft FrontPage 3.0">
<title>CERT-NL S-00-08</title>
</head>
<body link="#009966" vlink="#006041">
<div align="left">
<table border="0" width="100%" cellspacing="0">
<tr>
<td colspan="3" bgcolor="#009966" width="762"><blockquote>
<p><font face="Arial"><strong><big>Security Advisory</big></strong></font></p>
</blockquote>
</td>
<td colspan="2" align="right" bgcolor="#009966" width="105"><img
src="../../hs-kader-logo.gif" alt="hs-kader-logo.gif (586 bytes)" width="100" height="41"></td>
<td align="center" bgcolor="#009966" colspan="2" width="110"><strong><font face="Arial">CERT-NL</font></strong></td>
</tr>
<tr>
<td width="118" bgcolor="#99CC99">Author/Source</td>
<td width="10" bgcolor="#99CC99">:</td>
<td width="630">Xander Jansen</td>
<td width="99" bgcolor="#99CC99">Index</td>
<td colspan="2" width="8" bgcolor="#99CC99">:</td>
<td align="right" width="106">S-00-08</td>
</tr>
<tr>
<td width="118" bgcolor="#99CC99">Distribution</td>
<td width="10" bgcolor="#99CC99">:</td>
<td width="630">World</td>
<td width="99" bgcolor="#99CC99">Page</td>
<td colspan="2" width="8" bgcolor="#99CC99">:</td>
<td align="right" width="106">1</td>
</tr>
<tr>
<td width="118" bgcolor="#99CC99">Classification</td>
<td width="10" bgcolor="#99CC99">:</td>
<td width="630">External</td>
<td width="99" bgcolor="#99CC99">Version</td>
<td colspan="2" width="8" bgcolor="#99CC99">:</td>
<td align="right" width="106">1</td>
</tr>
<tr>
<td width="118" bgcolor="#99CC99" valign="top">Subject</td>
<td width="10" bgcolor="#99CC99" valign="top"><big><strong>:</strong></big></td>
<td width="630" bgcolor="#d4d4d4"><big><strong>SGI IRIX fam service Vulnerability</strong></big></td>
<td width="99" bgcolor="#99CC99" valign="top">Date</td>
<td colspan="2" width="8" bgcolor="#99CC99" valign="top">:</td>
<td align="right" width="106" bgcolor="#D4D4D4" valign="top">04-Mar-2000</td>
</tr>
</table>
</div>
<p>By courtesy of Silicon Graphics we received information on a vulnerability in the SGI
IRIX fam service allowing remote users acces to local information. <br>
CERT-NL recommends to follow the steps outlined below.</p>
<hr>
<p align="center">SGI Security Advisory</p>
<blockquote>
<blockquote>
<div align="left"><table border="0">
<tr>
<td>Title:</td>
<td> fam Vulnerability</td>
</tr>
<tr>
<td>Title:</td>
<td> NAI-0016: Silicon Graphics IRIX fam service</td>
</tr>
<tr>
<td>Number:</td>
<td> 20000301-01-I</td>
</tr>
<tr>
<td>Date:</td>
<td> March 1, 2000</td>
</tr>
</table>
</div>
</blockquote>
</blockquote>
<hr>
<p>SGI provides this information freely to the SGI user community for its consideration,
interpretation, implementation and use. SGI recommends that this information be acted upon
as soon as possible.</p>
<p>SGI provides the information in this Security Advisory on an "AS-IS" basis
only, and disclaims all warranties with respect thereto, express, implied or otherwise,
including, without limitation, any warranty of merchantability or fitness for a particular
purpose. In no event shall SGI be liable for any loss of profits, loss of business, loss
of data or for any indirect, special, exemplary, incidental or consequential damages of
any kind arising from your use of, failure to use or improper use of any of the
instructions or information in this Security Advisory.</p>
<hr>
<p>As a followup to the NAI Advisory #16: "Silicon Graphics IRIX fam service",
SGI has investigated and has open sourced fam which includes the fix to this
vulnerability.</p>
<div align="left">
<table border="2">
<tr>
<td>Issue Specifics</td>
</tr>
</table>
</div>
<p>The fam daemon is an RPC server that tracks changes to the filesystem.</p>
<p>NAI has reported that a vulnerability has been discovered in fam which allows an
attacker to learn the names of files and directories on IRIX systems.</p>
<p>SGI has investigated the issue and recommends the following steps for neutralizing the
exposure. It is recommended that these measures be implemented on all vulnerable SGI
systems running the fam service.</p>
<div align="left">
<table border="2">
<tr>
<td>Impact</td>
</tr>
</table>
</div>
<p>The fam daemon is installed by default on all versions of IRIX 5.X and IRIX 6.X.</p>
<p>A local user account on the vulnerable system is not required in order to exploit the
fam daemon.</p>
<p>The vulnerability can be exploited remotely by using carefully crafted RPC packets that
are sent to the fam daemon.</p>
<p>The vulnerability leads to unauthorized access to the names of files and directories on
an IRIX system.</p>
<p>This vulnerability was reported by Network Associates, Inc. in Advisory NAI-0016:<br>
<a href="http://www.nai.com/nai_labs/asp_set/advisory/16_fam_adv.asp">http://www.nai.com/nai_labs/asp_set/advisory/16_fam_adv.asp</a></p>
<p>This vulnerability has been publicly discussed in Usenet newsgroups and mailing lists.</p>
<div align="left">
<table border="2">
<tr>
<td>Temporary Solution</td>
</tr>
</table>
</div>
<p>Although a version of fam which fixes this vulnerability is available as open source,
it is realized that there may be situations where compiling and installing the new version
may not be possible.</p>
<p>The steps below can be used to disable the fam daemon.</p>
<blockquote>
<p> </p>
<div align="left"><table border="2">
<tr>
<td>**** WARNING ****</td>
</tr>
</table>
</div><p>Disabling fam daemon will impact and/or disable applications that use the
RPC-based fam daemon. This includes fm, mailbox, mediad, scanners, sysmon , fxbuilder,
IRIS Annotator and applications like MediaMail that linked with the libfam.a static
library.<ol>
<li>Become the root user on the system.<blockquote>
<pre>% /bin/su -
Password:
#</pre>
</blockquote>
</li>
<li>Comment out the fam service in /etc/inetd.conf<blockquote>
<pre># vi /etc/ined.conf</pre>
</blockquote>
<blockquote>
<p>Change the line:</p>
<pre>sgi_fam/1 stream rpc/tcp wait root ?/usr/etc/fam fam</pre>
<p>To:</p>
<pre>#sgi_fam/1 stream rpc/tcp wait root ?/usr/etc/fam fam</pre>
<p>and save the file.</p>
</blockquote>
</li>
<li>Restart inetd..<blockquote>
<pre># /etc/killall -HUP inetd</pre>
</blockquote>
</li>
<li>Kill any running fam daemon<br>
NOTE: This may disable applications that use fam including MediaMail.<blockquote>
<pre># /etc/killall fam</pre>
</blockquote>
</li>
<li>Return to previous level.<blockquote>
<pre># exit
%</pre>
</blockquote>
</li>
</ol>
<div align="left"><table border="2">
<tr>
<td>Solution</td>
</tr>
</table>
</div><p>SGI has open sourced the fam daemon and the source code is available from:<br>
<a href="http://oss.sgi.com/projects/fam/">http://oss.sgi.com/projects/fam/</a></p>
<p>The open source version of fam has a fix for this vulnerability.</p>
<p>Patches are being built for currently supported IRIX operating systems and this
advisory will be updated when these patches are made available.</p>
<p>The fam vulnerability is scheduled to be fixed in IRIX 6.5.8</p>
<div align="left"><table border="2">
<tr>
<td>Acknowledgments</td>
</tr>
</table>
</div><p>SGI wishes to thank the Network Associates, Inc. for their assistance in this
matter.</p>
<div align="left"><table border="2">
<tr>
<td>SGI Security Information/Contacts</td>
</tr>
</table>
</div><p>If there are questions about this document, email can be sent to <a
href="mailto:cse-security-alert@sgi.com">cse-security-alert@sgi.com</a>.</p>
<p align="center">------oOo------</p>
</blockquote>
<hr>
<p><font color="#006041"><strong>CERT-NL</strong> </font>is the Computer Emergency
Response Team for SURFnet customers. SURFnet is the Dutch network for educational,
research and related institutes. <strong><font color="#006041">CERT-NL</font></strong> is
a member of the Forum of Incident Response and Security Teams (<a
href="http://www.first.org">FIRST</a>).</p>
<p>All <strong><font color="#006041">CERT-NL</font></strong> material is available under:<br>
<a href="http://cert.surfnet.nl/">http://cert.surfnet.nl/</a></p>
<p>In case of computer or network security problems please contact your local
CERT/security-team or<font color="#006041"> <strong>CERT-NL</strong></font> (if your
institute is NOT a SURFnet customer please address the appropriate (local)
CERT/security-team).</p>
<p><strong><font color="#006041">CERT-NL</font></strong> is one/two hour(s) ahead of UTC
(GMT) in winter/summer,<br>
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).</p>
<div align="left">
<table border="0" width="80%" bgcolor="#DCDCDC" cellspacing="0" height="192">
<tr>
<td valign="top" height="24">Email:</td>
<td height="24"><a href="mailto:cert-nl@surfnet.nl">cert-nl@surfnet.nl</a></td>
<td height="24">ATTENDED REGULARLY ALL DAYS</td>
</tr>
<tr>
<td valign="top" height="24">Phone:</td>
<td height="24">+31 302 305 305</td>
<td height="24">BUSINESS HOURS ONLY</td>
</tr>
<tr>
<td valign="top" height="24">Fax: </td>
<td height="24">+31 302 305 329 </td>
<td height="24">BUSINESS HOURS ONLY</td>
</tr>
<tr>
<td valign="top" height="112">Snailmail:</td>
<td height="112">SURFnet bv<br>
Attn. CERT-NL<br>
P.O. Box 19035<br>
NL - 3501 DA UTRECHT<br>
The Netherlands</td>
<td height="112">.</td>
</tr>
</table>
</div>
<p>NOODGEVALLEN: 06 22 92 35 64 ALTIJD
BEREIKBAAR<br>
EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES<br>
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:<br>
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED* PROCEDURE FOR DEALING
WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT TO CERT-NL IN AN APPROPRIATE MANNER.
CERT-NL WILL THEN CONTACT YOU.</p>
<hr>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr align="left" valign="top">
<td><img src="../../hs-c-1999.gif" alt="copyright
SURFnet 1999" width="100" height="19"><a
href="mailto:redactie@SURFnet.nl"><br>
<img src="../../hs-email-red.gif" border="0" alt="email
naar redactie@SURFnet.nl"
width="100" height="26"></a></td>
<td width="100%" bgcolor="#C0C0C0"><table border="0" cellspacing="0" cellpadding="0"
width="100%">
<tr align="left" valign="top">
<td><img src="../../n-route.gif" border="0" alt="<-" width="19" height="20"></td>
<td width="100%" valign="middle"><font face="Geneva, Arial" size="1"><a
href="http://www.surfnet.nl/home.html" target="_top">Homepage</a> | <a
href="http://www.surfnet.nl/diensten/">Diensten </a>| <a
href="http://www.surfnet.nl/diensten/beveiliging/">Beveiliging</a> | <a
href="http://www.surfnet.nl/diensten/beveiliging/cert" target="_top">CERT-NL home</a>|:</font></td>
</tr>
<tr align="left" valign="top">
<td colspan="2"><img src="/images/n-verlooplijn.gif" width="142" height="5" border="0"
alt="-------------------"></td>
</tr>
<tr align="left" valign="top">
<td><a href="#top"><img src="../../n-top.gif" border="0" alt="<-" width="19"
height="20"></a></td>
<td width="100%" valign="middle"><font face="Geneva,
Arial" size="1"><a href="#top">Naar
begin van deze pagina</a></font></td>
</tr>
</table>
</td>
</tr>
</table>
</body>
</html>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed