SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Embedded Support Partner (IRIX) Vendors:   SGI (Silicon Graphics)
(ISS Issues Advisory) Re: SGI's IRIX Allows Remote Users to Execute Arbitrary Code on the Server with Root-Level Privileges Using the Embedded Support Partner (ESP) Application (Installed By Default on IRIX Systems)
SecurityTracker Alert ID:  1001547
SecurityTracker URL:  http://securitytracker.com/id/1001547
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 15 2001
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.5.5 6.5.8
Description:   Internet Security Systems released an advisory for SGI's IRIX Embedded Support Partner application, warning that it contains a buffer overflow and can allow remote users to execute arbitrary code with root level privileges on the server.

A buffer overflow is reported in the rpc.espd component of the Embedded Support Partner (ESP) subsystem. ESP is apparently installed and enabled by default on all current SGI IRIX installations.

ESP is an application used for managing multiple SGI devices on a network.

Impact:   A remote user can execute arbitrary code with root level privileges on the server, thereby gaining root level access to the server.
Solution:   SGI recommends immediately disabling rpc.espd to prevent exposure before patches can be applied. SGI has made security patch 4123 available to address this vulnerability. See the Vendor URL for information on the patch.
Vendor URL:  www.sgi.com/support/security/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (SGI/IRIX)

Message History:   This archive entry is a follow-up to the message listed below.
May 9 2001 SGI's IRIX Allows Remote Users to Execute Arbitrary Code on the Server with Root-Level Privileges Using the Embedded Support Partner (ESP) Application (Installed By Default on IRIX Systems)



 Source Message Contents

Subject:  ISS Advisory: Remote Buffer Overflow Vulnerability in IRIX Embedded Support Partner Infrastructure


-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Advisory
May 9, 2001

Remote Buffer Overflow Vulnerability in IRIX Embedded Support Partner 
Infrastructure	

Synopsis:

of the Embedded Support Partner (ESP) subsystem. ESP is installed and 
enabled by default on all current SGI IRIX installations.  

Impact:

to execute arbitrary commands on a vulnerable host. A local account is 
not required to exploit this vulnerability.

Affected Versions:


Description:

ESP was developed by SGI to address the concerns of many system 
administrators who needed to manage large-scale SGI environments. ESP 
allows administrators better access to information regarding the state 
of all SGI devices on a network. It integrates and correlates system 
configuration management, event management, resource management, 
reporting, statistics generation and analysis as well as many other 
features.

ESP was first introduced in IRIX version 6.5.5. The ESP daemon, 
rpc.espd, contains a buffer overflow condition that may allow remote 
attackers to execute arbitrary commands with super user privileges on 
the target server. 


Recommendations:

SGI recommends immediately disabling rpc.espd to prevent exposure before
patches can be applied.  To disable rpc.espd:

1. Become the root user on the system.

                % /bin/su -
                Password:
                #

    
2. Change the permissions on the rpc.espd daemon.

                # /bin/chmod -x /usr/etc/rpc.espd

3. Restart inetd to kill any vulnerable running daemons.

                # /etc/killall -HUP inetd

4. Return to previous level.

                # exit
                %

SGI has made security patch 4123 available to address this 
vulnerability. SGI security patches can be found at: 
http://www.sgi.com/support/security.

ISS X-Force recommends that all unused daemons or services be disabled
to prevent exposure to both known and unknown vulnerabilities.

security assessment system, Internet Scanner, will have signatures 
available for this vulnerability in upcoming X-Press Updates.

Additional Information:

http://www.sgi.com/support/security/advisories.html
SGI Services and Support website:
http://www.sgi.com/support

SGI Services and Support, Security homepage:
http://www.sgi.com/support/security

The Common Vulnerabilities and Exposures (CVE) project has assigned the 
name CAN-2001-0331 to this issue. This is a candidate for inclusion in 
the CVE list (http://cve.mitre.org), which standardizes names for 
security problems. 

Credits:

This vulnerability was discovered and researched by Mark Dowd of ISS 
X-Force. Internet Security Systems would like to thank SGI for their 
response and handling of this vulnerability.

______

About Internet Security Systems (ISS) 
Internet Security Systems (ISS) is a leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite security software, remote managed security services, and 
strategic consulting and education offerings, ISS is a trusted security 
provider to its customers, protecting digital assets and ensuring safe 
and uninterrupted e-business. ISS' security management solutions protect
more than 5,500 customers worldwide including 21 of the 25 largest U.S.
commercial banks, 10 of the largest telecommunications companies and 
over 35 government agencies. Founded in 1994, ISS is headquartered in 
Atlanta, GA, with additional offices throughout North America and 
international operations in Asia, Australia, Europe, Latin America and
the Middle East. For more information, visit the Internet Security 
Systems web site at www.iss.net or call 888-901-7477.

Copyright (c) 2001 Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express 
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert in any other medium excluding electronic medium, please 
e-mail xforce@iss.net for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in 
connection with the use or spread of this information. Any use of this
information is at the user's own risk.


X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
as well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOwErXTRfJiV99eG9AQHdSwP/Xir9QRH69YGZnZJuWJLXWg1vXGgA+z41
clDzwo0B8FJgRo+VVz0MWCoMZgCQGDFf3o0JG1l+FFpiLNBnyo6c3KZLEEYTXsT+
sZp7wju1JbJvKkmp5aemREIrgjAIaG/laUNHnPyRak2URaWYDWsLbimLoaCTVxh+
3ildktReFF8=
=/dxQ
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC