TUCoPS :: SGI :: irix5485.htm

NetVisualyzer nveventd arbitrary file writing
26th Jun 2002 [SBWID-5485]
COMMAND

	NetVisualyzer nveventd arbitrary file writing

SYSTEMS AFFECTED

	Up to 6.5.16 (included)

PROBLEM

	In SGI Security  Advisory  20020607-02-I  (a  lot  of  garbage,  but  as
	specified in the copyright notice we can not reproduce only  interesting
	parts...):
	

	

	-----BEGIN PGP SIGNED MESSAGE-----
	

	

	_____________________________________________________________________________

	

	                          SGI Security Advisory

	

	        Title:      nveventd vulnerability

	        Number:     20020607-02-I

	        Date:       June 24, 2002

	        Reference:  CAN-2002-0631

	_____________________________________________________________________________

	

	

	 - --------------

	 - --- Update ---

	 - --------------

	

	Fixed formatting issue  which  caused  PGP  signature  failure  on  some
	mailers.
	

	

	 - -----------------------

	 - --- Issue Specifics ---

	 - -----------------------

	

	It\'s been  reported  that  the  /usr/NetVis/etc/nveventd  component  of
	NetVisualyzer can be configured to allow an unprivileged user  to  write
	to any file on the  system.  This  could  potentially  lead  to  a  root
	exploit.
	

	SGI has investigated the issue and recommends the  following  steps  for
	neutralizing the exposure. It is HIGHLY RECOMMENDED that these  measures
	be implemented on ALL vulnerable SGI systems.
	

	Since the NetVisualyzer product is being moved to Legacy  support  mode,
	SGI has  no  plans  to  fix  this  problem  and  advises  following  the
	workaround outlined in this bulletin.
	

	

	 - --------------

	 - --- Impact ---

	 - --------------

	

	The  /usr/NetVis/etc/nveventd   daemon   is   part   of   the   optional
	NetVisualyzer (specifically, \"netman_display.sw.links\")  package,  and
	is not installed by default on IRIX 6.5 systems.
	

	To determine the version of IRIX you are running, execute the  following
	command:
	

	

	  # uname -R

	

	

	That will return a result similar to the following:
	

	

	  # 6.5 6.5.15f

	

	

	The first number (\"6.5\") is the release name, the second  (\"6.5.15f\"
	in this case) is the extended release name. The  extended  release  name
	is the \"version\" we refer to throughout this document.
	

	To see if nveventd is installed, execute the following command:
	

	

	  # versions netman_display.sw.links

	  I = Installed, R = Removed

	

	     Name                 Date      Description

	

	     I  netman_display           05/22/101  NetVisualyzer Display Station

	                                            Version, 2.2.1

	     I  netman_display.sw        05/22/101  NetVisualyzer Display Station

	                                            Software

	     I  netman_display.sw.links  05/22/101  NetVisualyzer Display Station

	                                            Software Links

	

	

	

	If the output resembles the above, then the  package  is  installed  and
	the system is vulnerable.
	

	This vulnerability was assigned the following CVE:
	

	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0631

	

	

	

SOLUTION

	 - ----------------------------

	 - --- Temporary Workaround ---

	 - ----------------------------

	

	SGI will not be releasing patches for this problem, as  the  product  is
	being moved into Legacy support mode.  Instead,  we  recommend  removing
	the suid bit from  the  nveventd  binary  by  performing  the  following
	command:
	

	

	  # chmod u-s /usr/NetVis/etc/nveventd

	

	

	After running that command, the permissions and  ownership  should  look
	like this:
	

	

	  # ls -l /usr/NetVis/etc/nveventd

	  -r-xr-xr-x    1 root sys   70468 May 22  2001 /usr/NetVis/etc/nveventd

	

	

	This will fix the problem, and no further action is required. Note  that
	after doing this, only privileged users (typically root)  will  be  able
	to run nveventd.
	

	

	 - ----------------

	 - --- Solution ---

	 - ----------------

	

	SGI will not be providing a fix  or  patches  for  this  issue,  as  the
	product is being moved into Legacy support mode. Our  recommendation  is
	to follow the instructions in the Temporary Workaround section above.
	

	

	   OS Version     Vulnerable?     Patch #      Other Actions

	   ----------     -----------     -------      -------------

	   IRIX 3.x        unknown                     Note 1

	   IRIX 4.x        unknown                     Note 1

	   IRIX 5.x        unknown                     Note 1

	   IRIX 6.0.x      unknown                     Note 1

	   IRIX 6.1        unknown                     Note 1

	   IRIX 6.2        unknown                     Note 1

	   IRIX 6.3        unknown                     Note 1

	   IRIX 6.4        unknown                     Note 1

	   IRIX 6.5          yes                       Notes 2 & 3

	   IRIX 6.5.1        yes                       Notes 2 & 3

	   IRIX 6.5.2        yes                       Notes 2 & 3

	   IRIX 6.5.3        yes                       Notes 2 & 3

	   IRIX 6.5.4        yes                       Notes 2 & 3

	   IRIX 6.5.5        yes                       Notes 2 & 3

	   IRIX 6.5.6        yes                       Notes 2 & 3

	   IRIX 6.5.7        yes                       Notes 2 & 3

	   IRIX 6.5.8        yes                       Notes 2 & 3

	   IRIX 6.5.9        yes                       Notes 2 & 3

	   IRIX 6.5.10       yes                       Notes 2 & 3

	   IRIX 6.5.11       yes                       Notes 2 & 3

	   IRIX 6.5.12       yes                       Notes 2 & 3

	   IRIX 6.5.13       yes                       Notes 2 & 3

	   IRIX 6.5.14       yes                       Notes 2 & 3

	   IRIX 6.5.15       yes                       Notes 2 & 3

	   IRIX 6.5.16       yes                       Notes 2 & 3

	

	

	   NOTES

	

	     1) This version of the IRIX operating has been retired. Upgrade to an

	        actively supported IRIX operating system.  See

	        http://support.sgi.com/irix/news/index.html#policy for more

	        information.

	

	     2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your

	        SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/

	

	     3) Follow the workaround instructions above.

	

	

	 - ------------------------

	 - --- Acknowledgments ----

	 - ------------------------

	

	SGI wishes to thank Walter Roberson for his assistance in this matter.
	

	SGI also wishes to thank Dave Ahmad for catching the bad PGP signature.
	

	

	 - -------------

	 - --- Links ---

	 - -------------

	

	SGI      Security      Advisories      can      be       found       at:
	http://www.sgi.com/support/security/                                 and
	ftp://patches.sgi.com/support/free/security/advisories/
	

	SGI      Security       Patches       can       be       found       at:
	http://www.sgi.com/support/security/                                 and
	ftp://patches.sgi.com/support/free/security/patches/
	

	SGI patches for IRIX can  be  found  at  the  following  patch  servers:
	http://support.sgi.com/irix/ and ftp://patches.sgi.com/
	

	SGI freeware updates for IRIX can be found at: http://freeware.sgi.com/
	

	SGI   fixes   for   SGI   open   sourced   code   can   be   found   on:
	http://oss.sgi.com/projects/
	

	SGI   patches   and    RPMs    for    Linux    can    be    found    at:
	http://support.sgi.com/linux/                                         or
	http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/
	

	SGI   patches   for   Windows   NT   or   2000   can   be   found    at:
	http://support.sgi.com/nt/
	

	IRIX  5.2-6.4  Recommended/Required  Patch  Sets  can   be   found   at:
	http://support.sgi.com/irix/                                         and
	ftp://patches.sgi.com/support/patchset/
	

	IRIX   6.5   Maintenance   Release   Streams   can    be    found    at:
	http://support.sgi.com/colls/patches/tools/relstream/index.html
	

	IRIX   6.5   Software    Update    CDs    can    be    obtained    from:
	http://support.sgi.com/irix/swupdates/
	

	The primary SGI anonymous FTP site for security advisories  and  patches
	is patches.sgi.com (216.32.174.211).  Security  advisories  and  patches
	are located under the URL ftp://patches.sgi.com/support/free/security/
	

	For  security  and  patch  management  reasons,   ftp.sgi.com   (mirrors
	patches.sgi.com security FTP repository) lags behind and does not  do  a
	real-time update.
	

	

	 - -----------------------------------------

	 - --- SGI Security Information/Contacts ---

	 - -----------------------------------------

	

	If there are questions  about  this  document,  email  can  be  sent  to
	security-info@sgi.com.
	

	                      ------oOo------

	

	SGI provides security information and patches for use by the entire  SGI
	community. This information is freely available to  any  person  needing
	the information and is available via anonymous FTP and the Web.
	

	The primary SGI anonymous FTP site for security advisories  and  patches
	is patches.sgi.com (216.32.174.211).  Security  advisories  and  patches
	are located under the URL ftp://patches.sgi.com/support/free/security/
	

	The SGI Security  Headquarters  Web  page  is  accessible  at  the  URL:
	http://www.sgi.com/support/security/
	

	For issues with the patches on the FTP  sites,  email  can  be  sent  to
	security-info@sgi.com.
	

	For assistance  obtaining  or  working  with  security  patches,  please
	contact your SGI support provider.
	

	                      ------oOo------

	

	SGI provides a free security mailing list  service  called  wiretap  and
	encourages interested parties to self-subscribe to receive  (via  email)
	all SGI Security Advisories when they are released. Subscribing  to  the
	mailing      list      can      be      done      via      the       Web
	(http://www.sgi.com/support/security/wiretap.html) or by  sending  email
	to SGI as outlined below.
	

	

	% mail wiretap-request@sgi.com

	subscribe wiretap <YourEmailAddress>

	end

	^d

	

	

	In the example above, <YourEmailAddress> is the  email  address  that
	you wish the mailing list information sent to. The word end must  be  on
	a separate line to indicate the end of the  body  of  the  message.  The
	control-d (^d) is used to indicate to the  mail  program  that  you  are
	finished composing the mail message.
	

	

	                      ------oOo------

	

	SGI provides a comprehensive customer World Wide Web site. This site  is
	located at http://www.sgi.com/support/security/ .
	

	                      ------oOo------

	

	If there are general security questions on SGI  systems,  email  can  be
	sent to security-info@sgi.com.
	

	For  reporting  *NEW*  SGI  security  issues,  email  can  be  sent   to
	security-alert@sgi.com or contact your SGI support provider.  A  support
	contract is not required for submitting a security report.
	

	 ______________________________________________________________________________

	      This information is provided freely to all interested parties

	      and may be redistributed provided that it is not altered in any

	      way, SGI is appropriately credited and the document retains and

	      includes its valid PGP signature.

	

	

	

	-----BEGIN PGP SIGNATURE-----

	Version: 2.6.2

	

	iQCVAwUBPRd/dbQ4cFApAP75AQEUGwP/QKH+Q6cm/x4zzOtIp4u4LyvveKAPp3dl

	/ZJTCadxn3lgRhhCk6iulpqowCSwCV2OgecVFoD80v34HDWvWRKcmXQfr01rG75f

	4bQrMBtGx9fdPoT176jQyT/tWqyyJmG9BXNKsymuRsQfqQpBqEuGH5qa6zeD1vKx

	JrENEX+GkQQ=

	=9JKx

	-----END PGP SIGNATURE-----

	

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH