fam Vulnerability

[agent99 () CSD SGI COM (SGI Security Coordinator)]

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________
                          SGI Security Advisory

        Title:   fam Vulnerability
        Title:   NAI-0016: Silicon Graphics IRIX fam service
        Number:  20000301-01-I
        Date:    March 1, 2000
______________________________________________________________________________

SGI provides this information freely to the SGI user community for its
consideration, interpretation, implementation and use.   SGI recommends
that this information be acted upon as soon as possible.

SGI provides the information in this Security Advisory on an "AS-IS" basis
only, and disclaims all warranties with respect thereto, express, implied
or otherwise, including, without limitation, any warranty of merchantability
or fitness for a particular purpose.  In no event shall SGI be liable for
any loss of profits, loss of business, loss of data or for any indirect,
special, exemplary, incidental or consequential damages of any kind arising
from your use of, failure to use or improper use of any of the instructions
or information in this Security Advisory.
______________________________________________________________________________

As a followup to the NAI Advisory #16: "Silicon Graphics IRIX fam service",
SGI has investigated and has open sourced fam which includes the fix
to this vulnerability.

- -----------------------
- --- Issue Specifics ---
- -----------------------

The fam daemon is an RPC server that tracks changes to the filesystem.

NAI has reported that a vulnerability has been discovered in fam which
allows an attacker to learn the names of files and directories on IRIX
systems.

SGI has investigated the issue and recommends the following steps for
neutralizing the exposure.  It is recommended that these measures
be implemented on all vulnerable SGI systems running the fam service.

- --------------
- --- Impact ---
- --------------

The fam daemon is installed by default on all versions of IRIX 5.X and
IRIX 6.X.

A local user account on the vulnerable system is not required in order to
exploit the fam daemon.

The vulnerability can be exploited remotely by using carefully crafted RPC
packets that are sent to the fam daemon.

The vulnerability leads to unauthorized access to the names of files
and directories on an IRIX system.

This vulnerability was reported by Network Associates, Inc. in
Advisory NAI-0016:
http://www.nai.com/nai_labs/asp_set/advisory/16_fam_adv.asp

This vulnerability has been publicly discussed in Usenet newsgroups
and mailing lists.

- --------------------------
- --- Temporary Solution ---
- --------------------------

Although a version of fam which fixes this vulnerability is available
as open source, it is realized that there may be situations where
compiling and installing the new version may not be possible.

The steps below can be used to disable the fam daemon.

      =================
      **** WARNING ****
      =================

      Disabling fam daemon will impact and/or disable applications that
      use the RPC-based fam daemon. This includes fm, mailbox, mediad,
      scanners, sysmon , fxbuilder, IRIS Annotator and applications like
      MediaMail that linked with the libfam.a static library.

     1) Become the root user on the system.

                % /bin/su -
                Password:
                #

     2) Comment out the fam service in /etc/inetd.conf

                # vi /etc/ined.conf

        Change the line:
        sgi_fam/1   stream  rpc/tcp wait    root    ?/usr/etc/fam     fam

        To:
        #sgi_fam/1   stream  rpc/tcp wait    root    ?/usr/etc/fam    fam

        and save the file.

     3) Restart inetd..

                # /etc/killall -HUP inetd

     4) Kill any running fam daemon
        NOTE: This may disable applications that use fam including
        MediaMail.

                # /etc/killall fam

     5) Return to previous level.

                # exit
                %

- ----------------
- --- Solution ---
- ----------------

SGI has open sourced the fam daemon and the source code is available from:
http://oss.sgi.com/projects/fam/

The open source version of fam has a fix for this vulnerability.

Patches are being built for currently supported IRIX operating systems
and this advisory will be updated when these patches are made
available.

The fam vulnerability is scheduled to be fixed in IRIX 6.5.8

- ------------------------
- --- Acknowledgments ---
- ------------------------

SGI wishes to thank the Network Associates, Inc. for their assistance
in this matter.

- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------

If there are questions about this document, email can be sent to
cse-security-alert () sgi com.

                      ------oOo------

SGI provides security information and patches for use by the entire SGI
community.  This information is freely available to any person needing
the information and is available via anonymous FTP and the Web.

The primary SGI anonymous FTP site for security information and patches
is sgigate.sgi.com (204.94.209.1).  Security information and patches
are located under the directories ~ftp/security and ~ftp/patches,
respectively. The SGI Security Headquarters Web page is accessible at
the URL http://www.sgi.com/support/security/ .

For issues with the patches on the FTP sites, email can be sent to
cse-security-alert () sgi com.

For assistance obtaining or working with security patches, please
contact your SGI support provider.

                      ------oOo------

SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email) all
SGI Security Advisories when they are released. Subscribing to the mailing
list can be done via the Web (http://www.sgi.com/support/security/wiretap.html)
or by sending email to SGI as outlined below.

% mail wiretap-request () sgi com
subscribe wiretap <YourEmailAddress>
end
^d

In the example above, <YourEmailAddress> is the email address that you
wish the mailing list information sent to.  The word end must be on a
separate line to indicate the end of the body of the message. The
control-d (^d) is used to indicate to the mail program that you are
finished composing the mail message.

                      ------oOo------

SGI provides a comprehensive customer World Wide Web site. This site is
located at http://www.sgi.com/support/security/ .

                      ------oOo------

For reporting *NEW* SGI security issues, email can be sent to
security-alert () sgi com or contact your SGI support provider.  A
support contract is not required for submitting a security report.

______________________________________________________________________________
      This information is provided freely to all interested parties
      and may be redistributed provided that it is not altered in any
      way, SGI is appropriately credited and the document retains and
      includes its valid PGP signature.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOL20TrQ4cFApAP75AQH/pgP/VMOez7SmD503iZ74TvhiCW2zCCj76qxT
Oh3VM4wr3daccq3sc0vJYjAnUXcIT7cPKhxFHzFlfCM61BgLThkSgSE2MDeNKor4
tXCq5z56Cashe+Y7en727lbtV/75y56X8PLhOI4qyhPRdGKjhLx5s/EpSk398PCH
tNNdUR9SjKs=
=QEgE
-----END PGP SIGNATURE-----