Vulnerability Note VU#521147

SGI IRIX rpc.xfsmd uses weak authentication mechanism for RPC authentication

Original Release date: 08 Aug 2002 | Last revised: 08 Aug 2002

Overview

The XFS file system on SGI systems allows anonymous remote users to call xfs-related RPC functions.

Description

XFS is a 64-bit compliant journaling file system. The XFS journaling filesystem daemon (rpc.xfsmd) on SGI systems uses the default AUTH_UNIX authentication mechanism (a client-based security option) for its RPC service. This means the rpc.xfsmd daemon trusts that the remote system calling its RPC interface has already authenticated the remote client process via standard UNIX user id mechanisms (i.e., if a daemon only allows UID 0 [root] access to its RPC interface, it trusts remote RPC clients to be running with UID 0 [root] privileges).

As a result, any remote system able to forge UID 0 in its RPC call to vulnerable SGI rpc.xfsmd daemons can bypass the RPC authentication mechanism altogether. When exploited in conjunction with VU#195371, this could lead to the execution of arbitrary commands on vulnerable SGI systems.

Impact

A remote attacker can bypass the default AUTH_UNIX authentication mechanism for this RPC service, allowing anonymous RPC function calls

Solution

SGI has reported they will not be providing a patch for this issue. Sites are strongly urged to disable the XFS daemon and related subsystems as soon as their service requirements permit.

Per SGI Security Advisory 20020606-02-I:

There is no effective workaround available for these problems.
SGI recommends either disabling or uninstalling the product.

To disable the product from running, perform the following steps:

  # killall /usr/etc/xfsmd
 # vi /etc/inetd.conf

  Look for a line in inetd.conf that looks like this:

    sgi_xfsmd/1 stream  rpc/tcp wait    root    ?/usr/etc/xfsmd     xfsmd

  ...and comment it out by putting a "#" at the beginning of the line:

    #sgi_xfsmd/1 stream  rpc/tcp wait    root    ?/usr/etc/xfsmd     xfsmd

  ...or simply remove the line from the file.

  # killall -HUP inetd

To remove the product from the system, perform the following command:

  # versions remove eoe.sw.xfsmserv

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
SGIAffected-08 Aug 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Last Stage of Delirium has reported this vulnerability in several public forums.

This document was written by Jeffrey S. Havrilla.

Other Information

  • CVE IDs: CAN-2002-0359
  • Date Public: 20 Jun 2002
  • Date First Published: 08 Aug 2002
  • Date Last Updated: 08 Aug 2002
  • Severity Metric: 10.53
  • Document Revision: 14

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.