SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#521147

SGI IRIX rpc.xfsmd uses weak authentication mechanism for RPC authentication

Overview

The XFS file system on SGI systems allows anonymous remote users to call xfs-related RPC functions.

I. Description

XFS is a 64-bit compliant journaling file system. The XFS journaling filesystem daemon (rpc.xfsmd) on SGI systems uses the default AUTH_UNIX authentication mechanism (a client-based security option) for its RPC service. This means the rpc.xfsmd daemon trusts that the remote system calling its RPC interface has already authenticated the remote client process via standard UNIX user id mechanisms (i.e., if a daemon only allows UID 0 [root] access to its RPC interface, it trusts remote RPC clients to be running with UID 0 [root] privileges).

As a result, any remote system able to forge UID 0 in its RPC call to vulnerable SGI rpc.xfsmd daemons can bypass the RPC authentication mechanism altogether. When exploited in conjunction with VU#195371, this could lead to the execution of arbitrary commands on vulnerable SGI systems.

II. Impact

A remote attacker can bypass the default AUTH_UNIX authentication mechanism for this RPC service, allowing anonymous RPC function calls

III. Solution

SGI has reported they will not be providing a patch for this issue. Sites are strongly urged to disable the XFS daemon and related subsystems as soon as their service requirements permit.

Per SGI Security Advisory 20020606-02-I:

There is no effective workaround available for these problems.
SGI recommends either disabling or uninstalling the product.

To disable the product from running, perform the following steps:

  # killall /usr/etc/xfsmd
 # vi /etc/inetd.conf

  Look for a line in inetd.conf that looks like this:

    sgi_xfsmd/1 stream  rpc/tcp wait    root    ?/usr/etc/xfsmd     xfsmd

  ...and comment it out by putting a "#" at the beginning of the line:

    #sgi_xfsmd/1 stream  rpc/tcp wait    root    ?/usr/etc/xfsmd     xfsmd

  ...or simply remove the line from the file.

  # killall -HUP inetd

To remove the product from the system, perform the following command:

  # versions remove eoe.sw.xfsmserv

Systems Affected

VendorStatusDate NotifiedDate Updated
SGIVulnerable8-Aug-2002

References

http://www.kb.cert.org/vuls/id/195371
ftp://patches.sgi.com/support/free/security/advisories/20020606-02-I
http://www.securityfocus.com/bid/5075
http://www.iss.net/security_center/static/9401.php
http://oss.sgi.com/projects/xfs/
http://www.sgi.com/software/xfs/

Credit

Last Stage of Delirium has reported this vulnerability in several public forums.

This document was written by Jeffrey S. Havrilla.

Other Information

Date Public:2002-06-20
Date First Published:2002-08-08
Date Last Updated:2002-08-08
CERT Advisory: 
CVE-ID(s):CAN-2002-0359
NVD-ID(s):CAN-2002-0359
US-CERT Technical Alerts: 
Metric:10.53
Document Revision:14

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader