----- Original Message -----
From: "SGI Security Coordinator" <agent99@sgi.com>
To: <agent99@sgi.com>
Sent: Wednesday, August 13, 2003 8:42 AM
Subject: Denial of Service Vulnerability in NFS on IRIX
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
____________________________________________________________________________
__
> SGI Security Advisory
>
> Title : Denial of Service Vulnerability in NFS XDR decoding
> Number : 20030801-01-P
> Date : August 13, 2003
> Reference: CVE 2003-0576
> Reference: SGI BUG 894659
> Fixed in : IRIX 6.5.20 or patches 5229, 5230, 5240, 5241, 5227, 5228
>
____________________________________________________________________________
__
>
> SGI provides this information freely to the SGI user community for its
> consideration, interpretation, implementation and use. SGI recommends
that
> this information be acted upon as soon as possible.
>
> SGI provides the information in this Security Advisory on an "AS-IS" basis
> only, and disclaims all warranties with respect thereto, express, implied
> or otherwise, including, without limitation, any warranty of
merchantability
> or fitness for a particular purpose. In no event shall SGI be liable for
> any loss of profits, loss of business, loss of data or for any indirect,
> special, exemplary, incidental or consequential damages of any kind
arising
> from your use of, failure to use or improper use of any of the
instructions
> or information in this Security Advisory.
>
____________________________________________________________________________
__
>
> - -----------------------
> - --- Issue Specifics ---
> - -----------------------
>
> It's been reported that it is possible to create a Denial of Service
attack
> on the IRIX nfsd through the use of carefully crafted packets which cause
> XDR decoding errors. This can lead to kernel panicing the system. No
local account or access to an NFS mount point is required, so this could be
constructed as a remote exploit.
>
> SGI has investigated the issue and recommends the following steps for
> neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures
be
> implemented on ALL vulnerable SGI systems.
>
> These issues have been corrected with patches and in future releases of
IRIX.
>
>
> - --------------
> - --- Impact ---
> - --------------
>
> nfs is installed by default on IRIX 6.5 systems.
>
> To determine the version of IRIX you are running, execute the following
> command:
>
> # /bin/uname -R
>
> That will return a result similar to the following:
>
> # 6.5 6.5.19f
>
> The first number ("6.5") is the release name, the second ("6.5.16f" in
this
> case) is the extended release name. The extended release name is the
> "version" we refer to throughout this document.
>
> To see if nfs is installed, execute the following command:
>
> $ versions -b | grep nfs
> I nfs 05/15/2003 Network File System, 6.5.20f
>
>
> - ----------------------------
> - --- Temporary Workaround ---
> - ----------------------------
>
> There is no effective workaround available for these problems. SGI
> recommends either upgrading to IRIX 6.5.20, or installing the appropriate
> patch from the listing below.
>
>
> - ----------------
> - --- Solution ---
> - ----------------
>
> SGI has provided a series of patches for these vulnerabilities. Our
> recommendation is to upgrade to IRIX 6.5.20, or install the appropriate
> patch.
>
> OS Version Vulnerable? Patch # Other Actions
> ---------- ----------- ------- -------------
> IRIX 3.x unknown Note 1
> IRIX 4.x unknown Note 1
> IRIX 5.x unknown Note 1
> IRIX 6.0.x unknown Note 1
> IRIX 6.1 unknown Note 1
> IRIX 6.2 unknown Note 1
> IRIX 6.3 unknown Note 1
> IRIX 6.4 unknown Note 1
> IRIX 6.5 yes Notes 2 & 3
> IRIX 6.5.1 yes Notes 2 & 3
> IRIX 6.5.2 yes Notes 2 & 3
> IRIX 6.5.3 yes Notes 2 & 3
> IRIX 6.5.4 yes Notes 2 & 3
> IRIX 6.5.5 yes Notes 2 & 3
> IRIX 6.5.6 yes Notes 2 & 3
> IRIX 6.5.7 yes Notes 2 & 3
> IRIX 6.5.8 yes Notes 2 & 3
> IRIX 6.5.9 yes Notes 2 & 3
> IRIX 6.5.10 yes Notes 2 & 3
> IRIX 6.5.11 yes Notes 2 & 3
> IRIX 6.5.12 yes Notes 2 & 3
> IRIX 6.5.13 yes Notes 2 & 3
> IRIX 6.5.14 yes Notes 2 & 3
> IRIX 6.5.15 yes Notes 2 & 3
> IRIX 6.5.16 yes Notes 2 & 3
> IRIX 6.5.17m yes 5229 Notes 2, 4 & 5
> IRIX 6.5.17f yes 5230 Notes 2, 4 & 5
> IRIX 6.5.18m yes 5240 Notes 2, 4 & 5
> IRIX 6.5.18f yes 5241 Notes 2, 4 & 5
> IRIX 6.5.19m yes 5227 Notes 2, 4 & 5
> IRIX 6.5.19f yes 5228 Notes 2, 4 & 5
> IRIX 6.5.20 no
> IRIX 6.5.21 no
>
> NOTES
>
> 1) This version of the IRIX operating has been retired. Upgrade to an
> actively supported IRIX operating system. See
> http://support.sgi.com for more information.
>
> 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact
your
> SGI Support Provider or URL: http://support.sgi.com
>
> 3) Upgrade to IRIX 6.5.20.
>
> 4) Upgrade to IRIX 6.5.20 or install the patch.
>
> 5) Note that these patches also include other fixes that are not
> security related.
>
> ##### Patch File Checksums ####
> Filename: README.patch.5227
> Algorithm #1 (sum -r): 12931 11 README.patch.5227
> Algorithm #2 (sum): 22414 11 README.patch.5227
> MD5 checksum: 7ED03B2BE0DC6DE5D33D81339AB14017
>
> Filename: patchSG0005227
> Algorithm #1 (sum -r): 11461 5 patchSG0005227
> Algorithm #2 (sum): 37091 5 patchSG0005227
> MD5 checksum: 6159ACA5DADB447DBAC03E2713B397F9
>
> Filename: patchSG0005227.eoe_sw
> Algorithm #1 (sum -r): 09551 8277 patchSG0005227.eoe_sw
> Algorithm #2 (sum): 30759 8277 patchSG0005227.eoe_sw
> MD5 checksum: E5339A8B3C9231CC8EFD58CB59FEED1C
>
> Filename: patchSG0005227.idb
> Algorithm #1 (sum -r): 20594 41 patchSG0005227.idb
> Algorithm #2 (sum): 1408 41 patchSG0005227.idb
> MD5 checksum: 32BF7447A53E8A9DAD84A2B416674F16
>
> Filename: patchSG0005227.irix_dev_sw
> Algorithm #1 (sum -r): 38535 10 patchSG0005227.irix_dev_sw
> Algorithm #2 (sum): 12894 10 patchSG0005227.irix_dev_sw
> MD5 checksum: D53D8B75C2D7B3A3C925ADCFB35F8B95
>
> Filename: patchSG0005227.nfs_sw
> Algorithm #1 (sum -r): 31365 5170 patchSG0005227.nfs_sw
> Algorithm #2 (sum): 49085 5170 patchSG0005227.nfs_sw
> MD5 checksum: E4F9D5896C4272B81430CF0C8611487C
>
> Filename: README.patch.5228
> Algorithm #1 (sum -r): 16002 11 README.patch.5228
> Algorithm #2 (sum): 22374 11 README.patch.5228
> MD5 checksum: 9ED598FCE24B45D9B821BBED49EF4401
>
> Filename: patchSG0005228
> Algorithm #1 (sum -r): 37726 5 patchSG0005228
> Algorithm #2 (sum): 23213 5 patchSG0005228
> MD5 checksum: 3167AD1850E8F6C2CA50F1679C402315
>
> Filename: patchSG0005228.eoe_sw
> Algorithm #1 (sum -r): 16223 8422 patchSG0005228.eoe_sw
> Algorithm #2 (sum): 46670 8422 patchSG0005228.eoe_sw
> MD5 checksum: EFB7678E25D935BFDF9B8531786FE67A
>
> Filename: patchSG0005228.idb
> Algorithm #1 (sum -r): 53530 41 patchSG0005228.idb
> Algorithm #2 (sum): 21988 41 patchSG0005228.idb
> MD5 checksum: 92B4E031662EEF88415D18A2ABE8CA74
>
> Filename: patchSG0005228.irix_dev_sw
> Algorithm #1 (sum -r): 38535 10 patchSG0005228.irix_dev_sw
> Algorithm #2 (sum): 12894 10 patchSG0005228.irix_dev_sw
> MD5 checksum: D53D8B75C2D7B3A3C925ADCFB35F8B95
>
> Filename: patchSG0005228.nfs_sw
> Algorithm #1 (sum -r): 17463 5280 patchSG0005228.nfs_sw
> Algorithm #2 (sum): 25872 5280 patchSG0005228.nfs_sw
> MD5 checksum: DCEAE822C6F2AE0335987F8D4CB22037
>
> Filename: README.patch.5229
> Algorithm #1 (sum -r): 01277 9 README.patch.5229
> Algorithm #2 (sum): 828 9 README.patch.5229
> MD5 checksum: 27F5BC248785EB885A13CC882BC3546F
>
> Filename: patchSG0005229
> Algorithm #1 (sum -r): 35802 2 patchSG0005229
> Algorithm #2 (sum): 57891 2 patchSG0005229
> MD5 checksum: FC923269FA4B82B7B74C6406982A9BF7
>
> Filename: patchSG0005229.eoe_sw
> Algorithm #1 (sum -r): 64586 5941 patchSG0005229.eoe_sw
> Algorithm #2 (sum): 16069 5941 patchSG0005229.eoe_sw
> MD5 checksum: 566A389D3F36A1398FA7EEC56BF175B9
>
> Filename: patchSG0005229.idb
> Algorithm #1 (sum -r): 38401 26 patchSG0005229.idb
> Algorithm #2 (sum): 7466 26 patchSG0005229.idb
> MD5 checksum: 60B99ECECF97909AEF3F4A2DE88D82F5
>
> Filename: patchSG0005229.irix_dev_sw
> Algorithm #1 (sum -r): 34148 1 patchSG0005229.irix_dev_sw
> Algorithm #2 (sum): 774 1 patchSG0005229.irix_dev_sw
> MD5 checksum: 782988FA4FAC22A5F522D4985B47D6CB
>
> Filename: patchSG0005229.nfs_sw
> Algorithm #1 (sum -r): 09009 4240 patchSG0005229.nfs_sw
> Algorithm #2 (sum): 65046 4240 patchSG0005229.nfs_sw
> MD5 checksum: C8D28197ABBFB214E312BE5474089CFE
>
> Filename: README.patch.5230
> Algorithm #1 (sum -r): 12236 9 README.patch.5230
> Algorithm #2 (sum): 63420 9 README.patch.5230
> MD5 checksum: 12E5B2318D3B3516409D084C27387163
>
> Filename: patchSG0005230
> Algorithm #1 (sum -r): 50666 2 patchSG0005230
> Algorithm #2 (sum): 59311 2 patchSG0005230
> MD5 checksum: 44FE30C482E00898A48FB5C865A63FF3
>
> Filename: patchSG0005230.eoe_sw
> Algorithm #1 (sum -r): 29102 6011 patchSG0005230.eoe_sw
> Algorithm #2 (sum): 39184 6011 patchSG0005230.eoe_sw
> MD5 checksum: 3BEB537E47F3A199311CD8D0B1819D04
>
> Filename: patchSG0005230.idb
> Algorithm #1 (sum -r): 05200 26 patchSG0005230.idb
> Algorithm #2 (sum): 7102 26 patchSG0005230.idb
> MD5 checksum: 3E3AE7ACC124D1789D16E6510C58D9DB
>
> Filename: patchSG0005230.nfs_sw
> Algorithm #1 (sum -r): 47262 4333 patchSG0005230.nfs_sw
> Algorithm #2 (sum): 29161 4333 patchSG0005230.nfs_sw
> MD5 checksum: 08121F4C697F3FF84C3555B05403ECCD
>
> Filename: README.patch.5240
> Algorithm #1 (sum -r): 49573 10 README.patch.5240
> Algorithm #2 (sum): 6006 10 README.patch.5240
> MD5 checksum: 35487EA3FE038B6460A592261C04EFCD
>
> Filename: patchSG0005240
> Algorithm #1 (sum -r): 07297 4 patchSG0005240
> Algorithm #2 (sum): 50257 4 patchSG0005240
> MD5 checksum: 256FFFFC0DD9FD4FB7AABC2016E77E76
>
> Filename: patchSG0005240.eoe_sw
> Algorithm #1 (sum -r): 47611 7496 patchSG0005240.eoe_sw
> Algorithm #2 (sum): 33432 7496 patchSG0005240.eoe_sw
> MD5 checksum: 694361E17A3C8147099E946EBD277A08
>
> Filename: patchSG0005240.idb
> Algorithm #1 (sum -r): 06906 26 patchSG0005240.idb
> Algorithm #2 (sum): 63464 26 patchSG0005240.idb
> MD5 checksum: 5B8066AEB25AE8DC988181B6318FA0FD
>
> Filename: patchSG0005240.irix_dev_sw
> Algorithm #1 (sum -r): 38535 10 patchSG0005240.irix_dev_sw
> Algorithm #2 (sum): 12894 10 patchSG0005240.irix_dev_sw
> MD5 checksum: D53D8B75C2D7B3A3C925ADCFB35F8B95
>
> Filename: patchSG0005240.nfs_sw
> Algorithm #1 (sum -r): 40380 3891 patchSG0005240.nfs_sw
> Algorithm #2 (sum): 34675 3891 patchSG0005240.nfs_sw
> MD5 checksum: 71E454F5DF8B7B231BE5534CEFFC1EC8
>
> Filename: README.patch.5241
> Algorithm #1 (sum -r): 12584 10 README.patch.5241
> Algorithm #2 (sum): 5979 10 README.patch.5241
> MD5 checksum: 4C1EE3B73CDD4851D06E73BBB21D65D1
>
> Filename: patchSG0005241
> Algorithm #1 (sum -r): 05691 5 patchSG0005241
> Algorithm #2 (sum): 13971 5 patchSG0005241
> MD5 checksum: 5C6423A1D130E749E6644CDE3CD73FF3
>
> Filename: patchSG0005241.eoe_sw
> Algorithm #1 (sum -r): 00113 7607 patchSG0005241.eoe_sw
> Algorithm #2 (sum): 34258 7607 patchSG0005241.eoe_sw
> MD5 checksum: 5596F7572B50139B776BF011C70E82FC
>
> Filename: patchSG0005241.idb
> Algorithm #1 (sum -r): 22072 26 patchSG0005241.idb
> Algorithm #2 (sum): 63480 26 patchSG0005241.idb
> MD5 checksum: 3CC8B8E45D008D213B8CB84034675509
>
> Filename: patchSG0005241.irix_dev_sw
> Algorithm #1 (sum -r): 38535 10 patchSG0005241.irix_dev_sw
> Algorithm #2 (sum): 12894 10 patchSG0005241.irix_dev_sw
> MD5 checksum: D53D8B75C2D7B3A3C925ADCFB35F8B95
>
> Filename: patchSG0005241.nfs_sw
> Algorithm #1 (sum -r): 09049 3954 patchSG0005241.nfs_sw
> Algorithm #2 (sum): 32772 3954 patchSG0005241.nfs_sw
> MD5 checksum: B28A5B503F0B5C85D62C76A666667685
>
>
> - -------------
> - --- Links ---
> - -------------
>
> SGI Security Advisories can be found at:
> http://www.sgi.com/support/security/ and
> ftp://patches.sgi.com/support/free/security/advisories/
>
> SGI Security Patches can be found at:
> http://www.sgi.com/support/security/ and
> ftp://patches.sgi.com/support/free/security/patches/
>
> SGI patches for IRIX can be found at the following patch servers:
> http://support.sgi.com/ and ftp://patches.sgi.com/
>
> SGI freeware updates for IRIX can be found at:
> http://freeware.sgi.com/
>
> SGI patches and RPMs for Linux can be found at:
> http://support.sgi.com
>
> SGI patches for Windows NT or 2000 can be found at:
> http://support.sgi.com/
>
> IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:
> http://support.sgi.com/ and ftp://patches.sgi.com/support/patchset/
>
> IRIX 6.5 Maintenance Release Streams can be found at:
> http://support.sgi.com/
>
> IRIX 6.5 Software Update CDs can be obtained from:
> http://support.sgi.com/
>
> The primary SGI anonymous FTP site for security advisories and patches is
> patches.sgi.com. Security advisories and patches are located under the
URL
> ftp://patches.sgi.com/support/free/security/
>
> For security and patch management reasons, ftp.sgi.com (mirrors
> patches.sgi.com security FTP repository) lags behind and does not do a
> real-time update.
>
>
> - -----------------------------------------
> - --- SGI Security Information/Contacts ---
> - -----------------------------------------
>
> If there are questions about this document, email can be sent to
> security-info@sgi.com.
>
> ------oOo------
>
> SGI provides security information and patches for use by the entire SGI
> community. This information is freely available to any person needing the
> information and is available via anonymous FTP and the Web.
>
> The primary SGI anonymous FTP site for security advisories and patches is
> patches.sgi.com. Security advisories and patches are located under the
URL
> ftp://patches.sgi.com/support/free/security/
>
> The SGI Security Headquarters Web page is accessible at the URL:
> http://www.sgi.com/support/security/
>
> For issues with the patches on the FTP sites, email can be sent to
> security-info@sgi.com.
>
> For assistance obtaining or working with security patches, please
> contact your SGI support provider.
>
> ------oOo------
>
> SGI provides a free security mailing list service called wiretap and
> encourages interested parties to self-subscribe to receive (via email) all
> SGI Security Advisories when they are released. Subscribing to the mailing
> list can be done via the Web
> (http://www.sgi.com/support/security/wiretap.html) or by sending email to
> SGI as outlined below.
>
> % mail wiretap-request@sgi.com
> subscribe wiretap <YourEmailAddress such as midwatch@sgi.com >
> end
> ^d
>
> In the example above, <YourEmailAddress> is the email address that you
wish
> the mailing list information sent to. The word end must be on a separate
> line to indicate the end of the body of the message. The control-d (^d) is
> used to indicate to the mail program that you are finished composing the
> mail message.
>
>
> ------oOo------
>
> SGI provides a comprehensive customer World Wide Web site. This site is
> located at http://www.sgi.com/support/security/ .
>
> ------oOo------
>
> If there are general security questions on SGI systems, email can be sent
to
> security-info@sgi.com.
>
> For reporting *NEW* SGI security issues, email can be sent to
> security-alert@sgi.com or contact your SGI support provider. A support
> contract is not required for submitting a security report.
>
>
____________________________________________________________________________
__
> This information is provided freely to all interested parties
> and may be redistributed provided that it is not altered in any
> way, SGI is appropriately credited and the document retains and
> includes its valid PGP signature.
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
>
> iQCVAwUBPzppWbQ4cFApAP75AQE6rgP+PkfnTLfdlvdFZ4tJ+Ht3vTBVmJu2kgvz
> itgHnZftncL4JaIfdJks2Wr34/2q7q2tIzn11376Twl1olPkP5Q+LdQiFgVTTjdF
> KI4D1SwBGkxVqB3w6H/TUexSxk+77wJHckrpyOlIhm364wV20YYimQSQAFWJr+4m
> riLbLOyRc/o=
> =8VNZ
> -----END PGP SIGNATURE-----
>
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
