_____________________________________________________
                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /   
                          \___  __|__  /   \  \___
            _____________________________________________________

             ADVISORY NOTICE

         SGI IRIX serial_ports Vulnerability

October 4, 1994 1600 PDT                                       Number F-01
_____________________________________________________________________________

PROBLEM:        A vulnerability exists in /usr/lib/vadmin/serial_ports.
PLATFORM:       SGI IRIX Version 4.X and 5.X.
DAMAGE:         Unauthorized users can elevate their privileges to root.
SOLUTION:       Change the permissions on /usr/lib/vadmin/serial_ports.
_____________________________________________________________________________

VULNERABILITY   An exploitation script for this vulnerability has been widely
ASSESSMENT:     distributed on the Internet.  Affected sites should install
                this fix as soon as possible.
_____________________________________________________________________________

    Critical Information about IRIX serial_ports

CIAC has received information about a vulnerability in the Silicon Graphics
IRIX operating system.  The file /usr/lib/vadmin/serial_ports contains a
vulnerability which can allow a non-privileged user to become root.

IRIX Version 4.X

This program is used to set up serial ports in IRIX Version 4.X.  CIAC
strongly recommends that the permissions on this file be modified
by performing the following command as root:

     # /bin/chmod 700 /usr/lib/vadmin/serial_ports

This will remove the vulnerability.  Since this program is used only to
configure the serial ports on an IRIX 4.X system, changing the permissions
will not affect any functionality of the system involved.

IRIX Version 5.X

This program is not used in IRIX Version 5.X, but the vulnerability may be
present if the method used to upgrade from Version 4.X did not remove the
file.  CIAC strongly recommends that if you are running Version 5.X check to
see if /usr/lib/vadmin/serial_ports is present on your system, and if it is,
delete it.  The equivalent program /usr/Cadmin/bin/cports on Version 5.X of
IRIX does not exhibit the vulnerability.

SGI has requested that CIAC include their internal Advisory number for this
vulnerability to assist anyone contacting them.  This number is
19941001-01-P.

_____________________________________________________________________________

CIAC wishes to thank the AUSCERT and Silicon Graphics, Inc. for their quick
response to this problem.
_____________________________________________________________________________

For additional information or assistance, please contact CIAC:
    Voice:   510-422-8193
    FAX:     510-423-8002
    STU-III: 510-423-2604
    E-mail:  ciac@llnl.gov

Previous CIAC Bulletins and other information are available via anonymous FTP 
from ciac.llnl.gov (IP address 128.115.19.53).

CIAC has several self-subscribing mailing lists for electronic publications:
1.  CIAC-BULLETIN for Advisories, highest priority - time critical 
    information, and Bulletins, important computer security information;
2.  CIAC-NOTES for Notes, a collection of computer security articles;
3.  SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
    software updates, new features, distribution and availability;
4.  SPI-NOTES, for discussion of problems and solutions regarding the use of
    SPI products.

CIAC's mailing lists are managed by a public domain software package called 
ListProcessor, which ignores E-mail header subject lines. To subscribe (add 
yourself) to one of our mailing lists, send the following request as the
E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or 
SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" 
and "PhoneNumber" when sending

E-mail to ciac-listproc@llnl.gov:
          subscribe list-name LastName, FirstName PhoneNumber
    e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN, and 
information on how to change either of them, cancel your subscription, or get 
help.
_____________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities 
receive CIAC bulletins. If you are not part of these communities, please 
contact your agency's response team to report incidents. Your agency's team 
will coordinate with CIAC. The Forum of Incident Response and Security Teams 
(FIRST) is a world-wide organization. A list of FIRST member organizations 
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body 
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of 
the United States Government. Neither the United States Government nor the 
University of California nor any of their employees, makes any warranty, 
expressed or implied, or assumes any legal liability or responsibility for 
the accuracy, completeness, or usefulness of any information, product, or 
process disclosed, or represents that its use would not infringe privately 
owned rights. Reference herein to any specific commercial products, process, 
or service by trade name, trademark manufacturer, or otherwise, does not 
necessarily constitute or imply its endorsement, recommendation, or favoring 
by the United States Government or the University of California. The views 
and opinions of authors expressed herein do not necessarily state or reflect 
those of the United States Government nor the University of California, and 
shall not be used for advertising or product endorsement purposes.