|
_____________________________________________________ US Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN Vulnerabilities in SGI IRIX Default Configuration October 25, 1993 1330 PDT Number E-02 __________________________________________________________________________ PROBLEM: The default configuration of SGI IRIX software introduces vulnerabilities. PLATFORM: SGI IRIX, all versions including 4.x and 5.x. DAMAGE: Accounts without passwords and default xhost configuration can lead to system compromise. SOLUTION: Add passwords, lock accounts, change xhost configuration per this bulletin. __________________________________________________________________________ Critical Information about SGI IRIX Default Configuration CIAC has learned that SGI IRIX systems configured with operating system defaults are vulnerable to attack. The auto-installation procedure leaves some default accounts vulnerable to compromise, some files are left world readable, and the default configuration for xhost is vulnerable. CIAC recommends that IRIX system administrators check the configuration of their systems as outlined below. OPEN ACCOUNTS Eight accounts are left open, without a password, at the end of the installation procedure. Three of these accounts--root, lp, and nuucp--are administrative accounts with system privileges. The other five accounts are demos, tutor, guest, 4Dgifts, and tour. CIAC recommends that these accounts be assigned valid passwords, deleted, or disabled to ensure account security. Give an account a password by executing the following command as root: # passwd account_name To disable ("lock") an account, use the passwd command with the -l option, as below: # passwd -l account_name To delete an account, edit the /etc/passwd account directly as SGI's utility "sysadm" will not edit these specific accounts. SGI recommends account deletion be done with care, since the execution of some system functions requires an account to be present. LOGIN.OPTIONS VULNERABILITY The file /etc/config/login.options (renamed /etc/default/login on 5.x) contains some parameters for the system's login process. By default, this file is world readable. CIAC recommends that if a system is logging rsh and ftp activity, these permissions be removed by executing the following command as root: # chmod 640 /etc/config/login.options Note: the options "SYSLOG=ALL" or "SYSLOG=FAIL", set within login.options will not log any login attempts made through the SGI-supplied graphical login process Pandora. In addition, the file where login attempts are kept, /usr/adm/SYSLOG, should also not be world readable. NIS ALTERNATE PASSWORD FILE If using NIS, an alternate password file can be created with any name and placed anywhere. This password file should be set up to contain only accounts of users that log in remotely. No administrative accounts should be contained in this alternative password file since all NIS users can easily see this file. Use of this file will make the information in /etc/passwd useless to anyone who might break into the system and try to crack passwords. To define the password file, open or create the file /etc/config/ypmaster.options, and create a line with the text: PWFILE=/path/newpasswdfile.name NOTE: this feature is available because shadow password files are incompatible with NIS. XHOST DEFAULTS The system default configuration for xhost is "xhost +", which allows any host on the same network to use X protocols to access the machine. X has well known vulnerabilities and there are automated programs that can remotely gain unauthorized access using X. CIAC recommends that you either deny all access to all hosts through X or authorize only specific known, trustworthy machines. To deny or restrict X access to selected hosts follow these three steps: a. Create or edit the file "/etc/Xn.hosts" where 'n' is the display number of the server on the local host, normally 0, as in "/etc/X0.hosts". To deny all X access to your system, the file /etc/X0.hosts will contain a single character, "-". To grant access to hosts "newhost.gov" and "secondhost.gov" and no other hosts the file /etc/X0.hosts will consist of: - +newhost.gov +secondhost.gov b. Search through all files in the directory /usr/lib/X11/xdm for occurances of the command "xhost +" or "/usr/bin/X11/xhost +". Remove or comment out all such lines. For SGI IRIS these files are by default: /usr/lib/X11/xdm/xsession /usr/lib/X11/xdm/xsession-remote /usr/lib/X11/xdm/xsession.0 c. Inform users that any xhost commands should be removed or commented out of user startup scripts, such as .cshrc, .login, .profile, etc. To add an additional level of security to the X environment, CIAC recommends the use of xauthority for host access control. To set up xauthority, edit the file /usr/lib/X11/xdm/xdm-config and replace the "off" with "on" in the following line: DisplayManager*authorize:off After all changes are made, SGI recommends that the system be rebooted to ensure that all changes take effect and all passwords be modified for all users' accounts that may have been compromised. To ensure that X has been turned off for non-registered hosts, perform the following test commands from an invalid machine: setenv DISPLAY yourhostname:0 /usr/bin/X11/xterm If a message appears which refuses the connection, then the system has been configured correctly. Much of the information in this bulletin has been extracted from the chapter on system security in the SGI IRIX administrator's guide, Chapter 8 for version 4.x and Chapter 9 for version 5.x. CIAC would like to thank Donna Yobs of SGI and Fred W. Allen of LLNL for their technical contributions to this bulletin, and to the ASSIST team for alerting us to this vulnerability. For additional information or assistance, please contact CIAC at (510) 422-8193 or send E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002. Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.