[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IRIX : WebSetup / WebMin Security Vulnerability on IRIX]]



> ______________________________________________________________________________
>                            SGI Security Advisory
> 
> Title    : WebSetup / WebMin Security Vulnerability
> Number   : 20030602-01-I
> Date     : June 9, 2003
> 
> Reference: SGI BUG 882560
> Reference: CVE CAN-2003-0101
> Fixed in : websetup v 3.5 package from IRIX 6.5.20 Applications CD
> ______________________________________________________________________________
> 
> SGI provides this information freely to the SGI user community for its
> consideration, interpretation, implementation and use.  SGI recommends that
> this information be acted upon as soon as possible.
> 
> SGI provides the information in this Security Advisory on an "AS-IS" basis
> only, and disclaims all warranties with respect thereto, express, implied
> or otherwise, including, without limitation, any warranty of merchantability
> or fitness for a particular purpose.  In no event shall SGI be liable for
> any loss of profits, loss of business, loss of data or for any indirect,
> special, exemplary, incidental or consequential damages of any kind arising
> from your use of, failure to use or improper use of any of the instructions
> or information in this Security Advisory.
> 
> __________________________________________________________________________
> 
> - -----------------------
> - --- Issue Specifics ---
> - -----------------------
> 
> It's been reported that IRIX's websetup package (which uses WebMin) has a
> security problem that allows unauthenticated remote access to Webmin.
> 
> For more information, see:
> http://www.webmin.com/updates.html
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0101
> 
> SGI has investigated the issue and recommends the following steps for
> neutralizing the exposure.  It is HIGHLY RECOMMENDED that these measures be
> implemented on ALL vulnerable SGI systems.
> 
> These issues have been corrected with the 6.5.20 webmin 1.070 package and
> in future releases of IRIX.
> 
> 
> - --------------
> - --- Impact ---
> - --------------
> 
> The websetup package is installed by default on IRIX 6.5 systems as
> "websetup.sw.eoe".
> 
> To determine the version of IRIX you are running, execute the following
> command:
> 
>   # /bin/uname -R
> 
> That will return a result similar to the following:
> 
>   # 6.5 6.5.19f
> 
> The first number ("6.5") is the release name, the second ("6.5.16f" in this
> case) is the extended release name.  The extended release name is the
> "version" we refer to throughout this document.
> 
> To see if websetup is installed, execute the following command:
> 
>   $ versions -b websetup
>   I = Installed, R = Removed
> 
>      Name                 Date        Description
>      I  websetup             11/19/2002  Web Setup and Administration, 3.4
> 
> If the result is similar to the above, then websetup is installed and the
> system may be vulnerable.
> 
> 
> - ----------------------------
> - --- Temporary Workaround ---
> - ----------------------------
> 
> There is no effective workaround available for these problems if you want to
> use the websetup package.  If you don't need it, then you can remove the
> package with "versions remove websetup". SGI recommends either upgrading to
> IRIX 6.5.20, or installing the websetup v 3.5 package from the listing below.
> 
> 
> - ----------------
> - --- Solution ---
> - ----------------
> 
> SGI has provided the websetup v3.5 package from IRIX 6.5.20 Apps CD for
> these  vulnerabilities. Our recommendation is to upgrade to IRIX 6.5.20
> when available, or install the upgraded websetup package.
> 
>    OS Version     Vulnerable?     Patch #      Other Actions
>    ----------     -----------     -------      -------------
>    IRIX 3.x        unknown                     Note 1
>    IRIX 4.x        unknown                     Note 1
>    IRIX 5.x        unknown                     Note 1
>    IRIX 6.0.x      unknown                     Note 1
>    IRIX 6.1        unknown                     Note 1
>    IRIX 6.2        unknown                     Note 1
>    IRIX 6.3        unknown                     Note 1
>    IRIX 6.4        unknown                     Note 1
>    IRIX 6.5          yes                       Notes 2 & 3
>    IRIX 6.5.1        yes                       Notes 2 & 3
>    IRIX 6.5.2        yes                       Notes 2 & 3
>    IRIX 6.5.3        yes                       Notes 2 & 3
>    IRIX 6.5.4        yes                       Notes 2 & 3
>    IRIX 6.5.5        yes                       Notes 2 & 3
>    IRIX 6.5.6        yes                       Notes 2 & 3
>    IRIX 6.5.7        yes                       Notes 2 & 3
>    IRIX 6.5.8        yes                       Notes 2 & 3
>    IRIX 6.5.9        yes                       Notes 2 & 3
>    IRIX 6.5.10       yes                       Notes 2 & 3
>    IRIX 6.5.11       yes                       Notes 2 & 3
>    IRIX 6.5.12       yes                       Notes 2 & 3
>    IRIX 6.5.13       yes                       Notes 2 & 3
>    IRIX 6.5.14       yes                       Notes 2 & 3
>    IRIX 6.5.15       yes                       Notes 2 & 3
>    IRIX 6.5.16       yes                       Notes 2 & 3
>    IRIX 6.5.17       yes                       Notes 2 & 3
>    IRIX 6.5.18       yes                       Notes 2 & 3
>    IRIX 6.5.19       yes                       Notes 2 & 3
>    IRIX 6.5.20        no
> 
>    NOTES
> 
>      1) This version of the IRIX operating has been retired. Upgrade to an
>         actively supported IRIX operating system.  See
>         http://support.sgi.com for more information.
> 
>      2) If you have not received a set of IRIX 6.5.X CDs for IRIX 6.5,
>         contact your SGI Support Provider or URL: http://support.sgi.com
> 
>      3) Upgrade to IRIX 6.5.20 (when available) or install the websetup v3.5
>         package from IRIX 6.5.20 Applications CD which can be downloaded
>         from ftp://patches.sgi.com/support/free/security/patches/6.5.20/
> 
> 
>              ##### Patch File Checksums ####
> 
> The actual patch will be a tar file containing the following files:
> 
> Filename:                 websetup
> Algorithm #1 (sum -r):    26123 4 websetup
> Algorithm #2 (sum):       11460 4 websetup
> MD5 checksum:             2803CC0DB06B007D719C674450B4C4DE
> 
> Filename:                 websetup.idb
> Algorithm #1 (sum -r):    04317 285 websetup.idb
> Algorithm #2 (sum):       54507 285 websetup.idb
> MD5 checksum:             DB9AE12627CC05B9287AFE901B5D0330
> 
> Filename:                 websetup.man
> Algorithm #1 (sum -r):    21757 63 websetup.man
> Algorithm #2 (sum):       30028 63 websetup.man
> MD5 checksum:             8C6842A415113FB95F5FE841C7DCF508
> 
> Filename:                 websetup.sw
> Algorithm #1 (sum -r):    31890 2992 websetup.sw
> Algorithm #2 (sum):       24739 2992 websetup.sw
> MD5 checksum:             E556C491FF079416650B4A7FF84AACC7
> 
> 
> - ------------------------
> - --- Acknowledgments ----
> - ------------------------
> 
> SGI wishes to thank FIRST and the users of the Internet Community at large
> for their assistance in this matter.
> 
> 
> - -------------
> - --- Links ---
> - -------------
> 
> SGI Security Advisories can be found at:
> http://www.sgi.com/support/security/ and
> ftp://patches.sgi.com/support/free/security/advisories/
> 
> SGI Security Patches can be found at:
> http://www.sgi.com/support/security/ and
> ftp://patches.sgi.com/support/free/security/patches/
> 
> SGI patches for IRIX can be found at the following patch servers:
> http://support.sgi.com/ and ftp://patches.sgi.com/
> 
> SGI freeware updates for IRIX can be found at:
> http://freeware.sgi.com/
> 
> SGI fixes for SGI open sourced code can be found on:
> http://oss.sgi.com/projects/
> 
> SGI patches and RPMs for Linux can be found at:
> http://support.sgi.com/
> 
> SGI patches for Windows NT or 2000 can be found at:
> http://support.sgi.com/
> 
> IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:
> http://support.sgi.com/ and ftp://patches.sgi.com/support/patchset/
> 
> IRIX 6.5 Maintenance Release Streams can be found at:
> http://support.sgi.com/
> 
> IRIX 6.5 Software Update CDs can be obtained from:
> http://support.sgi.com/
> 
> The primary SGI anonymous FTP site for security advisories and patches is
> patches.sgi.com.  Security advisories and patches are located under the URL
> ftp://patches.sgi.com/support/free/security/
> 
> For security and patch management reasons, ftp.sgi.com (mirrors
> patches.sgi.com security FTP repository) lags behind and does not do a
> real-time update.
> 
> 
> - -----------------------------------------
> - --- SGI Security Information/Contacts ---
> - -----------------------------------------
> 
> If there are questions about this document, email can be sent to
> security-info@sgi.com.
> 
>                       ------oOo------
> 
> SGI provides security information and patches for use by the entire SGI
> community.  This information is freely available to any person needing the
> information and is available via anonymous FTP and the Web.
> 
> The primary SGI anonymous FTP site for security advisories and patches is
> patches.sgi.com.  Security advisories and patches are located under the URL
> ftp://patches.sgi.com/support/free/security/
> 
> The SGI Security Headquarters Web page is accessible at the URL:
> http://www.sgi.com/support/security/
> 
> For issues with the patches on the FTP sites, email can be sent to
> security-info@sgi.com.
> 
> For assistance obtaining or working with security patches, please
> contact your SGI support provider.
> 
>                       ------oOo------
> 
> SGI provides a free security mailing list service called wiretap and
> encourages interested parties to self-subscribe to receive (via email) all
> SGI Security Advisories when they are released. Subscribing to the mailing
> list can be done via the Web
> (http://www.sgi.com/support/security/wiretap.html) or by sending email to
> SGI as outlined below.
> 
> % mail wiretap-request@sgi.com
> subscribe wiretap <YourEmailAddress such as aaanalyst@sgi.com >
> end
> ^d
> 
> In the example above, <YourEmailAddress> is the email address that you wish
> the mailing list information sent to.  The word end must be on a separate
> line to indicate the end of the body of the message. The control-d (^d) is
> used to indicate to the mail program that you are finished composing the
> mail message.
> 
> 
>                       ------oOo------
> 
> SGI provides a comprehensive customer World Wide Web site. This site is
> located at http://www.sgi.com/support/security/ .
> 
>                       ------oOo------
> 
> If there are general security questions on SGI systems, email can be sent to
> security-info@sgi.com.
> 
> For reporting *NEW* SGI security issues, email can be sent to
> security-alert@sgi.com or contact your SGI support provider.  A support
> contract is not required for submitting a security report.
> 
> ______________________________________________________________________________
>       This information is provided freely to all interested parties
>       and may be redistributed provided that it is not altered in any
>       way, SGI is appropriately credited and the document retains and
>       includes its valid PGP signature.
>